ipa krbtpolicy-mod allows one to change settings of a Kerberos policy. When no policy name is specified, a default policy is edited. Unfortunately, the default policy does not apply to krbtgt/ and K/M principals and it is not possible to associate any other ticket policy with these special principals. As result, it is not possible to influence settings like maximum renewal time for any principal because krbtgt/ principal has explicitly set values which cannot be overridden.

We should associate krbticketpolicyreference of the krbtgt/ and K/M principals with the default Kerberos ticket policy cn=$REALM,cn=kerberos,$SUFFIX. This way changes to the default policy would automatically apply to the krbtgt/ and K/M principals, making possible to define an alternative policy with a lower ticket life time.