Thanks. It's all for internal R&D and testing. I had set a high ticket lifetime to prevent the need for users to have to type their password so often.
Did this change from FreeIPA 4.6 / earlier version of MIT kerberos? This used to work fine in 4.6.... All I had to do is modify the "max life" in the web UI and it Just Worked ® On Mon, Oct 20, 2025 at 10:41 AM Alexander Bokovoy <[email protected]> wrote: > On Пан, 20 кас 2025, Russell Jones via FreeIPA-users wrote: > >I have found in the kdc.conf file where max_life and max_renewable_life > are > >defined as 7d and 14d respectively for my realm. Changing these values in > >the Web UI don't seem to touch this file at all..... > > This is not supported. > > There are workarounds by changing the KDC configuration manually as > described in the discussion in > https://github.com/freeipa/freeipa/pull/6223 but ultimately the code in > MIT Kerberos KDC will prevent us from making it fully customizable. > Changing that code upstream is not considered a priority for upstream. > > Security-wise, it is really not recommended to have tickets valid for > long time. If you are after automated renewal of Kerberos tickets, > better learn how to integrate gssproxy into your workflow. > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
