Thank you, Martin. This helps.
George
>
> From: Martin Kosek
>To: george he
>Cc: "freeipa-users@redhat.com"
>Sent: Tuesday, July 31, 2012 3:04 AM
>Subject: Re: [Freeipa-users] ipa krbtpolicy-mod --maxlife
>
>On 07/30/2012 05:00 PM, george he wrote:
>> Hello all,
>> I'm trying to change the krb ticket life time for myself, so I used
>> ipa krbtpolicy-mod MYUSERNAME --maxlife 36
>> but then after I do kinit, my new ticket is still going to expire after 24
>> hours, which is the default ticket life, even though
>> ipa krbtpolicy-show MYUSERNAME
>> returns
>> Max life: 36
>> What am I missing? I'm using ipa2.2 on FC17.
>> Thanks,
>> George
>
>Hello George,
>
>I think there are 2 different things being mixed - maximal lifetime which can
>configured in IPA (KDC) with the krbtpolicy-mod command you just shown and the
>lifetime of a ticket that is actually requested.
>
>The requested lifetime is by default 24h, as per krb5.conf man page:
>
> ticket_lifetime
> The value of this tag is the default lifetime for initial
> tickets. The default value for the tag is 1 day (1d).
>
>If you change this default value in krb5.conf or specifically kinit with a
>chosen lifetime, you should get it:
>
># ipa krbtpolicy-mod admin --maxlife 172800
> Max life: 172800
>
># kinit -l 2d
>
># klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: ad...@redhat.com
>
>Valid starting Expires Service principal
>07/31/12 03:00:17 08/02/12 03:00:14 krbtgt/redhat@redhat.com
>
>HTH,
>Martin
>
>
>___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users