#9132 RFE: Make KDC password ticket policy globally configurable
Opened 2 years ago by rcritten. Modified 2 years ago

Request for enhancement

As an admin, I want to be able to control the ticket policy max lifetime. This is currently possible using the krbtpolicy plugin but the maximum is controlled via the kdc.conf configuration file so it is only configurable to a point.

This RFE is derived from https://pagure.io/freeipa/issue/9121

Specifically this from the associated BZ (lightly edited for readability out of context):

To increase the lifetime beyond 7days (and renewable life beyond 14days) it is actually needed to do 2 things (after applying your fix):

1-Increase the maxlife and maxrenewlife of the krbtgt/EXAMPLE.COM principal (the service principal that supplies the ticket)
2-Increase the max_life and max_renewable_life parameters in /etc/kerberos/krb5kdc/kdc.conf

For values lower than that, the fix solves all issues.


Login to comment on this ticket.

Metadata