[Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed.
David O'Brien
davido at redhat.com
Wed Feb 9 02:30:21 UTC 2011
Rob Crittenden wrote:
> David O'Brien wrote:
>> Dmitri Pal wrote:
>>> On 02/07/2011 06:46 PM, David O'Brien wrote:
>>>> Jenny Galipeau wrote:
>>>>> Pavel Zuna wrote:
>>>>>> It seems that restarting krb5kdc is only needed when changes to the
>>>>>> global policy are made. Per-user policies take effect immediately
>>>>>> for newly requested tickets. Can someone please confirm?
>>>>> Yes, in testing this is the behavior. If the help could specify that
>>>>> a ipactl restart is required after global policy change, that would
>>>>> be great.
>>>>> Thanks
>>>>> Jenny
>>>>>
>>>> Please raise a suitable bugzilla to get this included in the user doc.
>>>> So far I only have doc about restarting IPA services after ipa
>>>> krbtpolicy-reset.
>>>
>>> Isn't it the same thing?
>>
>> I took "changes" to mean using krbtpolicy-mod and any others, not just
>> -reset, which is the info I received last time.
>
> The bottom line is that any change to the global Kerberos ticket policy
> requires a restart of the KDC to see the changes (/sbin/service krb5kdc
> restart). IMHO restarting the entire IPA world for this is overkill.
>
> rob
ok, so we're still talking about any changes to the global ticket
policy, not just using ipa krbtpolicy-reset, which is what I had before.
I'll update this bit and just recommend krb5kdc restart like you say.
cheers
--
David O'Brien
Red Hat Asia Pacific Pty Ltd
+61 7 3514 8189
"He who asks is a fool for five minutes, but he who does not ask remains
a fool forever."
~ Chinese proverb
More information about the Freeipa-devel
mailing list