[Freeipa-users] How to change kerberos key lifetime?

Fri Feb 17 06:49:41 UTC 2017

On Thu, Feb 16, 2017 at 06:05:48PM -0500, William Muriithi wrote:
> David
> 
> 
> >
> > The fact that your desktops are using SSSD changes the situation dramatically.
> >
> > SSSD (with ipa or krb5 provider) obtains ticket for user when he is logging-in.
> > And can be configured to renew the ticket for the user until the ticket renew
> > life time expires.
> >
> > Given this you can keep ticket life time reasonable short (~1 day) set ticket
> > renewable life time to longer period (~2 weeks) and maintain reasonable
> > security level without negative impact on user's daily work.
> >
> > Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
> > in sssd-krb5 man page.
> >
> Thanks a lot.  I did actually end up using this.   Will wait for a
> couple of days and see if anybody if the situation is better and
> update you.
> 
> Curious though, why isn't renewal interval setup by default?  Is there
> a negative consequence of having SSSD renewing tickets by default?  I
> can't think of any and hence a bit lost on explaining the default
> setup
> > --
> Regards,
> William

Honestly, I don't know why krb5_renew_interval isn't set by default.

My wild guess would be that in typical SSSD deployment user logs-in in the
begining of work day, SSSD gets ticket that last for a day for him and he
logs-out in the end of the workday (after 8~10 hours). So there's no need to
refresh it.

But feel free to open a ticket for SSSD [1] and describe you use case. I don't
know SSSD that well and maybe there's no reason against setting it by default.

[1] https://fedorahosted.org/sssd/newticket

-- 
David Kupka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170217/e9e3a381/attachment.sig>