[Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed.
Rob Crittenden
rcritten at redhat.com
Wed Feb 9 15:07:19 UTC 2011
David O'Brien wrote:
> Rob Crittenden wrote:
>> David O'Brien wrote:
>>> Dmitri Pal wrote:
>>>> On 02/07/2011 06:46 PM, David O'Brien wrote:
>>>>> Jenny Galipeau wrote:
>>>>>> Pavel Zuna wrote:
>>>>>>> It seems that restarting krb5kdc is only needed when changes to the
>>>>>>> global policy are made. Per-user policies take effect immediately
>>>>>>> for newly requested tickets. Can someone please confirm?
>>>>>> Yes, in testing this is the behavior. If the help could specify that
>>>>>> a ipactl restart is required after global policy change, that would
>>>>>> be great.
>>>>>> Thanks
>>>>>> Jenny
>>>>>>
>>>>> Please raise a suitable bugzilla to get this included in the user doc.
>>>>> So far I only have doc about restarting IPA services after ipa
>>>>> krbtpolicy-reset.
>>>>
>>>> Isn't it the same thing?
>>>
>>> I took "changes" to mean using krbtpolicy-mod and any others, not just
>>> -reset, which is the info I received last time.
>>
>> The bottom line is that any change to the global Kerberos ticket
>> policy requires a restart of the KDC to see the changes (/sbin/service
>> krb5kdc restart). IMHO restarting the entire IPA world for this is
>> overkill.
>>
>> rob
> ok, so we're still talking about any changes to the global ticket
> policy, not just using ipa krbtpolicy-reset, which is what I had before.
> I'll update this bit and just recommend krb5kdc restart like you say.
>
> cheers
>
ACK, pushed to master
More information about the Freeipa-devel
mailing list