Morning David, Thank you very much for your help.
> first you're mentioning "key expiry" but if I understand correctly you're > interested in "ticket lifetime". Yes, want to increase ticket lifetime. > > As mentioned here [1] the ticket lifetime is the minimum of 4 values: > 1) maxlife for the user principal > 2) maxlife for the service [principal] > 3) max_life in the kdc.conf > 4) requested lifetime in the ticket request > > You've already done 1) (ipa krbtpolicy) and 4) (ticket_lifetime in > [libdefaults] in /etc/krb5.conf on client). > > To increase 2) you need to change maxlife for krbtgt service. There're two > ways > this ca be done: > a) modifying krbMaxTicketLife attribute in > krbPrincipalName=krbtgt/example....@example.org,cn=EXAMPLE.ORG,cn=kerberos,dc=example,dc=org > b) using kadmin.local: > # kadmin.local > Authenticating as principal admin/ad...@example.org > : modprinc -maxlife 10day krbtgt/EXAMPLE.ORG > Principal "krbtgt/example....@example.org" modified. > : exit Will try 2 b and see how it goes > > To increase 3) you need to change 'max_life' in /var/kerberos/krb5kdc/kdc.conf > and restart krb5kdc service. > okay, wasn't actually aware of this. Will look at it > But generally I don't think it's a good idea to have such long tickets. Would > it make sense in your use case to deploy SSSD on user systems to handle > Kerberos tickets for them? > I am actually using SSSD on all the systems, even the desktops. I agree the changes above aren't ideal and would prefer to get SSSD working well. Where would like to avoid this error showing around every 12 hours. antimony: Could not chdir to home directory /home/william: Key has expired Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project