[Freeipa-users] How to change kerberos key lifetime?

David Kupka dkupka at redhat.com
Thu Feb 16 07:22:50 UTC 2017 

On Wed, Feb 15, 2017 at 02:13:04PM -0500, William Muriithi wrote:
> Hello
> 
> We are currently mostly using RHEL 6 on the clients but IPA is on RHEL
> 7.3. I am using Kerberos to authenticate NFS mount and its working
> fine.  However, there is a lot of users who are complaining that its
> causing too much problems.  They are all related to key expiry
> 
> 
> I have looked at how to rectify this and noticed that the only
> solution with RHEL 6 is to increase the time the key is valid.
> However, it hasn't worked, the key lifetime remains a day and maximum
> lifetime of 7 days.
> 
> These are the changes I have made so far:
> 
> Changed the policy on IPA:
> 
> [root at lithium ~]# ipa krbtpolicy-show
>   Max life: 15552000
>   Max renew: 25552000
> [root at lithium ~]#
> 
> 
> Changed kerberos configuration:
> 
> [libdefaults]
>   default_realm = ENG.EXAMPLE.COM
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   rdns = false
>   ticket_lifetime = 4320h
>   forwardable = yes
>   udp_preference_limit = 0
> 
> 
> Changed sssd configurations:
> 
> [domain/eng.example.com]
> 
> krb5_renewable_lifetime = 180d
> krb5_renew_interval = 3600
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = eng.example.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = platinum.eng.example.com
> chpass_provider = ipa
> ipa_dyndns_update = True
> ipa_server = _srv_, lithium.eng.example.com
> ldap_tls_cacert = /etc/ipa/ca.crt
> autofs_provider = ipa
> ipa_automount_location = default
> [sssd]
> services = nss, sudo, pam, autofs, ssh
> 
> domains = eng.example.com
> [nss]
> homedir_substring = /home
> 
> None have lead to any difference as seem below.  What would I be missing?
> 
> Ticket cache: FILE:/tmp/krb5cc_782_L8aH9N
> Default principal: william at ENG.EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 02/15/17 13:17:11  02/22/17 13:17:11  krbtgt/ENG.EXAMPLE.COM at ENG.EXAMPLE.COM
>         renew until 03/01/17 13:17:11
> 
> Regards,
> William
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

Hello William,
first you're mantioning "key expiry" but if I understand corectly you're
interested in "ticket lifetime". 

As mentioned here [1] the ticket lifetime is the minimum of 4 values:
1) maxlife for the user principal
2) maxlife for the service [principal]
3) max_life in the kdc.conf
4) requested lifetime in the ticket request

You've already done 1) (ipa krbtpolicy) and 4) (ticket_lifetime in
[libdefaults] in /etc/krb5.conf on client).

To increase 2) you need to change maxlife for krbtgt service. There're two ways
this ca be done:
a) modifying krbMaxTicketLife attribute in
krbPrincipalName=krbtgt/EXAMPLE.ORG at EXAMPLE.ORG,cn=EXAMPLE.ORG,cn=kerberos,dc=example,dc=org
b) using kadmin.local:
# kadmin.local
Authenticating as principal admin/admin at EXAMPLE.ORG
: modprinc -maxlife 10day krbtgt/EXAMPLE.ORG
Principal "krbtgt/EXAMPLE.ORG at EXAMPLE.ORG" modified.
: exit

To increase 3) you need to change 'max_life' in /var/kerberos/krb5kdc/kdc.conf
and restart krb5kdc service.

But generally I don't think it's a good idea to have such long tickets. Would
it make sense in your use case to deploy SSSD on user systems to handle
Kerberos tickets for them?

[1] http://mailman.mit.edu/pipermail/kerberos/2009-February/014520.html

-- 
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170216/e25f5bd0/attachment.sig>

More information about the Freeipa-users mailing list