20.2. Setting Kerberos Ticket Policies
The Kerberos ticket policy sets basic restrictions on managing tickets within the Kerberos realm, such as the maximum ticket lifetime and the maximum renewal age (the period during which the ticket is renewable).
The Kerberos ticket policy is set globally so that it applies to every ticket issued within the realm. IdM also has the ability to set user-level ticket policies which override the global policies. This can be used, for example, to set extended expiration times for administrators or to set shorter expiration times for some employees.
20.2.1. Setting Global Ticket Policies
20.2.1.1. From the Web UI
- Click the Policy tab, and then click the Kerberos Ticket Policy subtab.
- Change the ticket lifetime policies.
- Max renew sets the period after a ticket expires that it can be renewed.
- Max life sets the active period (lifetime) of a Kerberos ticket.
- Click the Update link at the top of the policy page.
- Restart the KDC.
# service krb5kdc restart
Important
Any change to the global Kerberos ticket policy requires a restart of the KDC for the changes to take effect.
20.2.1.2. From the Command Line
The
ipa krbtpolicy-mod command modifies the policy, while the ipa krbtpolicy-reset command resets the policy to the default values.
For example:
# ipa krbtpolicy-mod --maxlife=3600 --maxrenew=18000 Max life: 3600 Max renew: 18000
Important
Any change to the global Kerberos ticket policy requires a restart of the KDC for the changes to take effect. Restart the KDC:
# service krb5kdc restart
20.2.2. Setting User-Level Ticket Policies
User-level Kerberos ticket policies are set using the same commands as global policies, but the user is specified in the command.
For example:
# ipa krbtpolicy-mod jsmith --maxlife=3600 Max life: 3600
Important
User-level policies take effect immediately on the next requested ticket (such as running
kinit), without having to restart the KDC service.
