Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 29. Managing the Kerberos Domain
This chapter describes managing the Kerberos Key Distribution Center (KDC) component of the Identity Management server.
Important
Do not use the
kadmin
or kadmin.local
utilities to manage the Identity Management Kerberos policies. Use the native Identity Management command-line tools as described in this guide.
If you attempt to manage the Identity Management policies using the mentioned Kerberos tools, some of the operations will not affect the Identity Management configuration stored in its Directory Server instance.
29.1. Managing Kerberos Ticket Policies
Kerberos ticket policies in Identity Management set restrictions on ticket duration and renewal. Using the following procedures, you can configure Kerberos ticket policies for the Kerberos Key Distribution Center (KDC) running on your Identity Management server.
29.1.1. Determining the lifetime of a Kerberos Ticket
When an Identity Management server determines the lifetime of a ticket to be granted after an Identity Management client has requested a Kerberos ticket on behalf of user_name, several parameters are taken into account. First, client-side evaluation takes place which calculates the value to be requested on the basis of the kinit command and the
ticket_lifetime
setting in the /etc/krb5.conf
file. The value is then sent to the Identity Management server where server-side evaluation takes place. If the requested lifetime is lower than what the global settings allow, the requested lifetime is granted. Otherwise, the lifetime granted is the value which the global settings allow.
The lifetime requested by the client on behalf of user_name is determined as follows:
On the client side
- If you explicitly state a value for user_name in the kinit command itself by using the
-l
option, for example:$ kinit user_name -l 90000
that value, in this case 90000 seconds, is requested by the client on behalf of user_name. - Else, if no lifetime value is passed in as an argument of the kinit user_name command, the value of the
ticket_lifetime
setting in the client’s/etc/krb5.conf
file is used by the client on behalf of user_name. If no value is specified in the/etc/krb5.conf
file, the default IdM value for initial ticket requests is used, which is 1 day.
On the server side
Server-side, a two-stage evaluation takes place:
- The value requested by the client is compared to the
--maxlife
setting of the user_name-specific Kerberos ticket policies if these policies exist, and the lower value of the two is selected. If user_name-specific Kerberos ticket policies do not exist, the value sent by the client is compared to the--maxlife
setting of the Global Kerberos ticket policy, and the lower value of the two is selected. For details on global and user-specific Kerberos ticket policies, see Section 29.1.2, “Global and User-specific Kerberos Ticket Policies”. - The value selected in the previous step is compared to two other values:
- The value of the
max_life
setting in the/var/kerberos/krb5kdc/kdc.conf
file - The value set in the
krbMaxTicketLife
attribute of the LDAP entry with the distinguished name (DN):krbPrincipalName=krbtgt/REALM_NAME@REALM_NAME,cn=REALM_NAME,cn=kerberos,domain_name
The lowest of the three values is ultimately selected for the lifetime of the Kerberos ticket granted to user_name.
29.1.2. Global and User-specific Kerberos Ticket Policies
You can redefine the global Kerberos ticket policy and define additional policies specifically to individual users.
- Global Kerberos ticket policy
- The global policy applies to all tickets issued within the Identity Management Kerberos realm.
- User-specific Kerberos ticket policies
- User-specific policies apply only to the associated user account. For example, a user-specific Kerberos ticket policy can define a longer maximum ticket lifetime for the
admin
user.User-specific policies take precedence over the global policy.
29.1.3. Configuring the Global Kerberos Ticket Policy
To configure the global Kerberos ticket policy, you can use:
- the Identity Management web UI: see the section called “Web UI: Configuring the Global Kerberos Ticket Policy”
- the command line: see the section called “Command Line: Configuring the Global Kerberos Ticket Policy”
Attribute | Explanation | Example |
---|---|---|
Max renew |
The period of time (in seconds) during which the user can renew the Kerberos ticket after its expiry. After the renew period, the user must log in using the
kinit utility to get a new ticket.
To renew the ticket, use the kinit -R command.
|
Max renew = 604800
After the ticket expires, the user can renew it within the next 7 days (604,800 seconds).
|
Max life | The lifetime of a Kerberos ticket (in seconds). The period during which the Kerberos ticket stays active. |
Max life = 86400
The ticket expires 24 hours (86,400 seconds) after it was issued.
|
Web UI: Configuring the Global Kerberos Ticket Policy
- Select
. - Define the required values:
- In the Max renew field, enter the maximum renewal period of Kerberos tickets.
- In the Max life field, enter the maximum lifetime of Kerberos tickets.
Figure 29.1. Configuring the Global Kerberos Ticket Policy
- Click.
Command Line: Configuring the Global Kerberos Ticket Policy
To modify the global Kerberos ticket policy:
- Use the ipa krbtpolicy-mod command, and pass at least one of the following options:
--maxrenew
to define the maximum renewal period of Kerberos tickets--maxlife
to define the maximum lifetime of Kerberos tickets
For example, to change the maximum lifetime:$ ipa krbtpolicy-mod --maxlife=80000 Max life: 80000 Max renew: 604800
To reset the global Kerberos ticket policy to the original default values:
- Use the ipa krbtpolicy-reset command.
- Optional. Use the ipa krbtpolicy-show command to verify the current settings.
For details on ipa krbtpolicy-mod and ipa krbtpolicy-reset, pass the
--help
option with them.
29.1.4. Configuring User-specific Kerberos Ticket Policies
To modify the Kerberos ticket policy for a particular user:
- Use the ipa krbtpolicy-mod user_name command, and pass at least one of the following options:
--maxrenew
to define the maximum renewal period of Kerberos tickets--maxlife
to define the maximum lifetime of Kerberos tickets
If you define only one of the attributes, Identity Management will apply the global Kerberos ticket policy value for the other attribute.For example, to change the maximum lifetime for theadmin
user:$ ipa krbtpolicy-mod admin --maxlife=160000 Max life: 80000 Max renew: 604800
- Optional. Use the ipa krbtpolicy-show user_name command to display the current values for the specified user.
The new policy takes effect immediately on the next Kerberos ticket that the user requests, such as when using the
kinit
utility.
To reset a user-specific Kerberos ticket policy, use the ipa krbtpolicy-reset user_name command. The command clears the values defined specifically to the user, after which Identity Management applies the global policy values.
For details on ipa krbtpolicy-mod and ipa krbtpolicy-reset, pass the
--help
option with them.