On (16/02/17 18:05), William Muriithi wrote:
>> The fact that your desktops are using SSSD changes the situation 
>> dramatically.
>> SSSD (with ipa or krb5 provider) obtains ticket for user when he is 
>> logging-in.
>> And can be configured to renew the ticket for the user until the ticket renew
>> life time expires.
>> Given this you can keep ticket life time reasonable short (~1 day) set ticket
>> renewable life time to longer period (~2 weeks) and maintain reasonable
>> security level without negative impact on user's daily work.
>> Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
>> in sssd-krb5 man page.
>Thanks a lot.  I did actually end up using this.   Will wait for a
>couple of days and see if anybody if the situation is better and
>update you.
>Curious though, why isn't renewal interval setup by default?  Is there
>a negative consequence of having SSSD renewing tickets by default?  I
>can't think of any and hence a bit lost on explaining the default

Desktop/laptop user usually does not need automatic renewal.
They authenticate/login/unlock screen quite often and for each
action sssd authenticate against IPA server which automatically get/renew
krb5 ticket. Unless machine is offline.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to