On (16/02/17 18:05), William Muriithi wrote: >> The fact that your desktops are using SSSD changes the situation >> dramatically. >> >> SSSD (with ipa or krb5 provider) obtains ticket for user when he is >> logging-in. >> And can be configured to renew the ticket for the user until the ticket renew >> life time expires. >> >> Given this you can keep ticket life time reasonable short (~1 day) set ticket >> renewable life time to longer period (~2 weeks) and maintain reasonable >> security level without negative impact on user's daily work. >> >> Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options >> in sssd-krb5 man page. >> >Thanks a lot. I did actually end up using this. Will wait for a >couple of days and see if anybody if the situation is better and >update you. > >Curious though, why isn't renewal interval setup by default? Is there >a negative consequence of having SSSD renewing tickets by default? I >can't think of any and hence a bit lost on explaining the default >setup
Desktop/laptop user usually does not need automatic renewal. They authenticate/login/unlock screen quite often and for each action sssd authenticate against IPA server which automatically get/renew krb5 ticket. Unless machine is offline. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project