[Freeipa-users] ipa krbtpolicy-mod --maxlife
Martin Kosek
mkosek at redhat.com
Tue Jul 31 07:04:43 UTC 2012
On 07/30/2012 05:00 PM, george he wrote:
> Hello all,
> I'm trying to change the krb ticket life time for myself, so I used
> ipa krbtpolicy-mod MYUSERNAME --maxlife 360000
> but then after I do kinit, my new ticket is still going to expire after 24
> hours, which is the default ticket life, even though
> ipa krbtpolicy-show MYUSERNAME
> returns
> Max life: 360000
> What am I missing? I'm using ipa2.2 on FC17.
> Thanks,
> George
Hello George,
I think there are 2 different things being mixed - maximal lifetime which can
configured in IPA (KDC) with the krbtpolicy-mod command you just shown and the
lifetime of a ticket that is actually requested.
The requested lifetime is by default 24h, as per krb5.conf man page:
ticket_lifetime
The value of this tag is the default lifetime for initial
tickets. The default value for the tag is 1 day (1d).
If you change this default value in krb5.conf or specifically kinit with a
chosen lifetime, you should get it:
# ipa krbtpolicy-mod admin --maxlife 172800
Max life: 172800
# kinit -l 2d
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin at REDHAT.COM
Valid starting Expires Service principal
07/31/12 03:00:17 08/02/12 03:00:14 krbtgt/REDHAT.COM at REDHAT.COM
HTH,
Martin
More information about the Freeipa-users
mailing list