[Freeipa-users] How to change kerberos key lifetime?
William Muriithi
william.muriithi at gmail.com
Thu Feb 16 12:54:47 UTC 2017
Morning David,
Thank you very much for your help.
> first you're mentioning "key expiry" but if I understand correctly you're
> interested in "ticket lifetime".
Yes, want to increase ticket lifetime.
>
> As mentioned here [1] the ticket lifetime is the minimum of 4 values:
> 1) maxlife for the user principal
> 2) maxlife for the service [principal]
> 3) max_life in the kdc.conf
> 4) requested lifetime in the ticket request
>
> You've already done 1) (ipa krbtpolicy) and 4) (ticket_lifetime in
> [libdefaults] in /etc/krb5.conf on client).
>
> To increase 2) you need to change maxlife for krbtgt service. There're two ways
> this ca be done:
> a) modifying krbMaxTicketLife attribute in
> krbPrincipalName=krbtgt/EXAMPLE.ORG at EXAMPLE.ORG,cn=EXAMPLE.ORG,cn=kerberos,dc=example,dc=org
> b) using kadmin.local:
> # kadmin.local
> Authenticating as principal admin/admin at EXAMPLE.ORG
> : modprinc -maxlife 10day krbtgt/EXAMPLE.ORG
> Principal "krbtgt/EXAMPLE.ORG at EXAMPLE.ORG" modified.
> : exit
Will try 2 b and see how it goes
>
> To increase 3) you need to change 'max_life' in /var/kerberos/krb5kdc/kdc.conf
> and restart krb5kdc service.
>
okay, wasn't actually aware of this. Will look at it
> But generally I don't think it's a good idea to have such long tickets. Would
> it make sense in your use case to deploy SSSD on user systems to handle
> Kerberos tickets for them?
>
I am actually using SSSD on all the systems, even the desktops. I
agree the changes above aren't ideal and would prefer to get SSSD
working well. Where would like to avoid this error showing around
every 12 hours.
antimony: Could not chdir to home directory /home/william: Key has expired
Regards,
William
More information about the Freeipa-users
mailing list