it's active, but it seems not to do anything:

● ipa-ccache-sweep.timer - Remove Expired Kerberos Credential Caches
     Loaded: loaded (/usr/lib/systemd/system/ipa-ccache-sweep.timer; enabled; vendor preset: disabled)
     Active: active (elapsed) since Thu 2022-08-11 11:22:44 EDT; 3 days ago
      Until: Thu 2022-08-11 11:22:44 EDT; 3 days ago
    Trigger: n/a
   Triggers: ● ipa-ccache-sweep.service

--------
[Unit]
Description=Remove Expired Kerberos Credential Caches

[Timer]
OnUnitActiveSec=12h

[Install]
WantedBy=timers.target
---------

I believe the intent is that it should run every 12 hours. It doesn't seem to be doing so. From a web discussion:

OnUnitActiveSec does indeed refer to the time since the service referred to by the timer has run.  But if you only use OnUnitActiveSec and no other trigger then issue the command to start or enable foo.timer, foo.service will never run.  Why would it, no trigger would ever be activated in the first place: something needs to trigger the first run of foo.service in order to for you to ever have 3 seconds pass since it was last run.

So in other words, OnUnitActiveSec can be used to define the interval between repetitions, but another trigger (like OnActiveSec or OnBootSec) would be needed to trigger the first run of foo.service to get the ball rolling.

From: Jochen Kellner <jochen@jochen.org>
Sent: Sunday, August 14, 2022 12:39 PM
To: Charles Hedrick via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
Cc: Charles Hedrick <hedrick@rutgers.edu>
Subject: Re: [Freeipa-users] /run/ipa/ccaches filling
 
Charles Hedrick via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

> RHEL 9.0. /run/ipa/ccaches is filling with credential caches. Many are too old to be valid.
>
> I assume it's safe to have a cron job delete any more than a day old?
> (that's our maxmum lifetime.) I can't see the lifetime directly,
> because they are encrypted.

On my system I have a (disabled( systemd-timer named
ipa-ccache-sweep.timer. My guess would be that it get's enabled on new
installs, but somehow missed on updates. See the release notes of 4.9.9:
https://www.freeipa.org/page/Releases/4.9.9

Jochen

--
This space is intentionally left blank.