[Freeipa-users] How to change kerberos key lifetime?
William Muriithi
william.muriithi at gmail.com
Wed Feb 15 19:13:04 UTC 2017
Hello
We are currently mostly using RHEL 6 on the clients but IPA is on RHEL
7.3. I am using Kerberos to authenticate NFS mount and its working
fine. However, there is a lot of users who are complaining that its
causing too much problems. They are all related to key expiry
I have looked at how to rectify this and noticed that the only
solution with RHEL 6 is to increase the time the key is valid.
However, it hasn't worked, the key lifetime remains a day and maximum
lifetime of 7 days.
These are the changes I have made so far:
Changed the policy on IPA:
[root at lithium ~]# ipa krbtpolicy-show
Max life: 15552000
Max renew: 25552000
[root at lithium ~]#
Changed kerberos configuration:
[libdefaults]
default_realm = ENG.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 4320h
forwardable = yes
udp_preference_limit = 0
Changed sssd configurations:
[domain/eng.example.com]
krb5_renewable_lifetime = 180d
krb5_renew_interval = 3600
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = eng.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = platinum.eng.example.com
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, lithium.eng.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = default
[sssd]
services = nss, sudo, pam, autofs, ssh
domains = eng.example.com
[nss]
homedir_substring = /home
None have lead to any difference as seem below. What would I be missing?
Ticket cache: FILE:/tmp/krb5cc_782_L8aH9N
Default principal: william at ENG.EXAMPLE.COM
Valid starting Expires Service principal
02/15/17 13:17:11 02/22/17 13:17:11 krbtgt/ENG.EXAMPLE.COM at ENG.EXAMPLE.COM
renew until 03/01/17 13:17:11
Regards,
William
More information about the Freeipa-users
mailing list