On ke, 16 joulu 2020, Kees Bakker via FreeIPA-users wrote:
On 16-12-2020 16:03, Alexander Bokovoy wrote:
> On ke, 16 joulu 2020, Kees Bakker via FreeIPA-users wrote:
>> On 16-12-2020 14:59, François Cami wrote:
>>> On Wed, Dec 16, 2020 at 2:53 PM Kees Bakker <keesb(a)ghs.com
<mailto:keesb@ghs.com>> wrote:
>>>
>>> Thanks for the pointer. A bit old, but probably still relevant.
>>>
>>> Anyway, I was thinking that the following may be the cause of
>>> my observation. I'm now working from home (as many will recognize).
>>> My setup is a X2GO connection to the office. The session is kept alive
>>> all the time and without a screenlock in that X2GO session.
>>>
>>> Before I was working in the office, and there I had a screenlock as soon
>>> as I left my desk. I'm guessing that the TGT was renewed or newly
created
>>> when I unlocked the screen. If that is the case then I never noticed an
>>> expired TGT.
>>>
>>> It's just a wild guess.
>>>
>>> In the mean time I'm going to figure out what the configuration
should be
>>> to not run into an expired TGT all the time. Of course we have a FreeIPA
>>> flavor of it all. In my case: Centos7 for the masters, and Ubuntu for
the
>>> clients.
>>>
>>>
>>> Look at the client's configuration:
>>>
https://linux.die.net/man/5/sssd-krb5
>>> krb5_store_password_if_offline
>>> krb5_renewable_lifetime
>>> krb5_renew_interval
>>>
>>
>> In /etc/sssd/sssd.conf I now have:
>> krb5_renewable_lifetime = 60d
>> krb5_renew_interval = 6h
>>
>> The ipa client install already placed krb5_store_password_if_offline=True in
there.
>>
>> In /etc/krb5.conf in the [libdefaults] section I have:
>> ticket_lifetime = 24h
>> default_ccache_name = KEYRING:persistent:%{uid}
>>
>> On the clients I now see a TGT with flags FRIA. Great. It seems that my server
>> only allows max 7 days.
>>
>> renew until 23-12-20 15:18:42, Flags: FRIA
>>
>> Let's see if this is sufficient.
>
> If you need longer period to be allowed, you need to modify
> /var/kerberos/krb5kdc/kdc.conf and set 'max_life' there. It has to be
> done on all IPA replicas.
>
> The options max_life and max_renewable_life are described in man page
> for kdc.conf:
>
> max_life
> (duration string.) Specifies the maximum time period for
> which a ticket may be valid in this realm. The default
> value is 24 hours.
>
> max_renewable_life
> (duration string.) Specifies the maximum time period
> during which a valid ticket may be renewed in this realm.
> The default value is 0.
OK
How does this relate to the settings in the web GUI, in Policy > Kerberos Ticket
Policy?
That defines a policy which apllies within the defaults of KDC (in
kdc.conf). When KDC calculates end ticket time, it cuts off the proposed
ticket time (proposed by a client and checked by the KDC driver after
applying policies) by this limit.
There I have (installation defaults):
Max renew (seconds): 604800 (7 days)
Max life (seconds): 86400 (24 hours)
In /var/kerberos/krb5kdc/kdc.conf (on all replicas) I have:
max_life = 7d
max_renewable_life = 14d
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland