On Thu, 2012-02-16 at 15:52 +0100, Ondrej Valousek wrote: > Hi Stephen, > > Alright then - so if I understand correctly, I can have a situation > where TGTs are generated with a short lifetime (say 7 days) but long > renewable periods (say 6 months). > > I can then configure sssd to renew Kerberos cache on the user's behalf > every 7 days. It will work nicely for 6 months and then user will be > forced to renew his cache manually (by entering the password). > > Now what happens if I lock the account / fire the person in the mean > time? KDC should refuse the renewal, right?
In order to renew a ticket, the principal name must exist and be not disabled. However 6 months renewal time are generally not a good idea, and normally unneeded. If you configure sssd on your system every time a user login/unlock the screen we obtain a fresh new ticket. I would suggest you stay conservative and give tickets that last 24h and renewal times of a week. For normal scenarios this is more than sufficient. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
