[Freeipa-users] ipa krbtpolicy-mod --maxlife
george he
george_he7 at yahoo.com
Tue Jul 31 12:09:28 UTC 2012
Thank you, Martin. This helps.
George
>________________________________
> From: Martin Kosek <mkosek at redhat.com>
>To: george he <george_he7 at yahoo.com>
>Cc: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
>Sent: Tuesday, July 31, 2012 3:04 AM
>Subject: Re: [Freeipa-users] ipa krbtpolicy-mod --maxlife
>
>On 07/30/2012 05:00 PM, george he wrote:
>> Hello all,
>> I'm trying to change the krb ticket life time for myself, so I used
>> ipa krbtpolicy-mod MYUSERNAME --maxlife 360000
>> but then after I do kinit, my new ticket is still going to expire after 24
>> hours, which is the default ticket life, even though
>> ipa krbtpolicy-show MYUSERNAME
>> returns
>> Max life: 360000
>> What am I missing? I'm using ipa2.2 on FC17.
>> Thanks,
>> George
>
>Hello George,
>
>I think there are 2 different things being mixed - maximal lifetime which can
>configured in IPA (KDC) with the krbtpolicy-mod command you just shown and the
>lifetime of a ticket that is actually requested.
>
>The requested lifetime is by default 24h, as per krb5.conf man page:
>
> ticket_lifetime
> The value of this tag is the default lifetime for initial
> tickets. The default value for the tag is 1 day (1d).
>
>If you change this default value in krb5.conf or specifically kinit with a
>chosen lifetime, you should get it:
>
># ipa krbtpolicy-mod admin --maxlife 172800
> Max life: 172800
>
># kinit -l 2d
>
># klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: admin at REDHAT.COM
>
>Valid starting Expires Service principal
>07/31/12 03:00:17 08/02/12 03:00:14 krbtgt/REDHAT.COM at REDHAT.COM
>
>HTH,
>Martin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120731/49fd8f5f/attachment.htm>
More information about the Freeipa-users
mailing list