Re: [Freeipa-users] ipa krbtpolicy-mod --maxlife
Thank you, Martin. This helps. George > > From: Martin Kosek >To: george he >Cc: "freeipa-users@redhat.com" >Sent: Tuesday, July 31, 2012 3:04 AM >Subject: Re: [Freeipa-users] ipa krbtpolicy-mod --maxlife > >On 07/30/2012 05:00 PM, george he wrote: >> Hello all, >> I'm trying to change the krb ticket life time for myself, so I used >> ipa krbtpolicy-mod MYUSERNAME --maxlife 36 >> but then after I do kinit, my new ticket is still going to expire after 24 >> hours, which is the default ticket life, even though >> ipa krbtpolicy-show MYUSERNAME >> returns >> Max life: 36 >> What am I missing? I'm using ipa2.2 on FC17. >> Thanks, >> George > >Hello George, > >I think there are 2 different things being mixed - maximal lifetime which can >configured in IPA (KDC) with the krbtpolicy-mod command you just shown and the >lifetime of a ticket that is actually requested. > >The requested lifetime is by default 24h, as per krb5.conf man page: > > ticket_lifetime > The value of this tag is the default lifetime for initial > tickets. The default value for the tag is 1 day (1d). > >If you change this default value in krb5.conf or specifically kinit with a >chosen lifetime, you should get it: > ># ipa krbtpolicy-mod admin --maxlife 172800 > Max life: 172800 > ># kinit -l 2d > ># klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: ad...@redhat.com > >Valid starting Expires Service principal >07/31/12 03:00:17 08/02/12 03:00:14 krbtgt/redhat@redhat.com > >HTH, >Martin > > >___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa krbtpolicy-mod --maxlife
On 07/30/2012 05:00 PM, george he wrote: > Hello all, > I'm trying to change the krb ticket life time for myself, so I used > ipa krbtpolicy-mod MYUSERNAME --maxlife 36 > but then after I do kinit, my new ticket is still going to expire after 24 > hours, which is the default ticket life, even though > ipa krbtpolicy-show MYUSERNAME > returns > Max life: 36 > What am I missing? I'm using ipa2.2 on FC17. > Thanks, > George Hello George, I think there are 2 different things being mixed - maximal lifetime which can configured in IPA (KDC) with the krbtpolicy-mod command you just shown and the lifetime of a ticket that is actually requested. The requested lifetime is by default 24h, as per krb5.conf man page: ticket_lifetime The value of this tag is the default lifetime for initial tickets. The default value for the tag is 1 day (1d). If you change this default value in krb5.conf or specifically kinit with a chosen lifetime, you should get it: # ipa krbtpolicy-mod admin --maxlife 172800 Max life: 172800 # kinit -l 2d # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@redhat.com Valid starting ExpiresService principal 07/31/12 03:00:17 08/02/12 03:00:14 krbtgt/redhat@redhat.com HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] ipa krbtpolicy-mod --maxlife
Hello all, I'm trying to change the krb ticket life time for myself, so I used ipa krbtpolicy-mod MYUSERNAME --maxlife 36 but then after I do kinit, my new ticket is still going to expire after 24 hours, which is the default ticket life, even though ipa krbtpolicy-show MYUSERNAME returns Max life: 36 What am I missing? I'm using ipa2.2 on FC17. Thanks, George ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
