[Freeipa-users] Re: Kerberos configured ticket lifetime being ignored

Mon, 20 Oct 2025 21:58:19 -0700 

On Пан, 20 кас 2025, Russell Jones wrote:

Thanks.

It's all for internal R&D and testing. I had set a high ticket lifetime to
prevent the need for users to have to type their password so often.

Did this change from FreeIPA 4.6 / earlier version of MIT kerberos? This
used to work fine in 4.6.... All I had to do is modify the "max life" in
the web UI and it Just Worked ®


As described in the pull request discussion, you need to modify the
kdc.conf on all IPA KDCs to force larger limits, not just the policy on
IPA side.

https://github.com/freeipa/freeipa/pull/6223#issuecomment-1084231184 and
the next two comments describe in detail what's happening.

Some of the behaviors can be amended, specifically, for passwordless
methods, but they still require a combination of kdc.conf changes with
an arrangement of policy settings on IPA principals (both users and
services).



On Mon, Oct 20, 2025 at 10:41 AM Alexander Bokovoy <[email protected]>
wrote:


On Пан, 20 кас 2025, Russell Jones via FreeIPA-users wrote:
>I have found in the kdc.conf file where max_life and max_renewable_life
are
>defined as 7d and 14d respectively for my realm. Changing these values in
>the Web UI don't seem to touch this file at all.....

This is not supported.

There are workarounds by changing the KDC configuration manually as
described in the discussion in
https://github.com/freeipa/freeipa/pull/6223 but ultimately the code in
MIT Kerberos KDC will prevent us from making it fully customizable.
Changing that code upstream is not considered a priority for upstream.

Security-wise, it is really not recommended to have tickets valid for
long time. If you are after automated renewal of Kerberos tickets,
better learn how to integrate gssproxy into your workflow.



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland







--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to