Este conteúdo não está disponível no idioma selecionado.
20.2. Setting Kerberos Ticket Policies
			The Kerberos ticket policy sets basic restrictions on managing tickets within the Kerberos realm, such as the maximum ticket lifetime and the maximum renewal age (the period during which the ticket is renewable).
		
			The Kerberos ticket policy is set globally so that it applies to every ticket issued within the realm. IdM also has the ability to set user-level ticket policies which override the global policies. This can be used, for example, to set extended expiration times for administrators or to set shorter expiration times for some employees.
		
20.2.1. Setting Global Ticket Policies
Copiar o linkLink copiado para a área de transferência!
20.2.1.1. From the Web UI
Copiar o linkLink copiado para a área de transferência!
- Click the Policy tab, and then click the Kerberos Ticket Policy subtab.
- Change the ticket lifetime policies.- Max renew sets the period after a ticket expires that it can be renewed.
- Max life sets the active period (lifetime) of a Kerberos ticket.
 
- Click the Update link at the top of the policy page.
- Restart the KDC.service krb5kdc restart # service krb5kdc restartCopy to Clipboard Copied! Toggle word wrap Toggle overflow Important Any change to the global Kerberos ticket policy requires a restart of the KDC for the changes to take effect.
20.2.1.2. From the Command Line
Copiar o linkLink copiado para a área de transferência!
					The 
ipa krbtpolicy-mod command modifies the policy, while the ipa krbtpolicy-reset command resets the policy to the default values.
				
					For example:
				
ipa krbtpolicy-mod --maxlife=3600 --maxrenew=18000
# ipa krbtpolicy-mod --maxlife=3600 --maxrenew=18000
  Max life: 3600
  Max renew: 18000Important
						Any change to the global Kerberos ticket policy requires a restart of the KDC for the changes to take effect. Restart the KDC: 
 
Copy to Clipboard
Copied!
 
 
Toggle word wrap
Toggle overflow
 
 
					
service krb5kdc restart
# service krb5kdc restart20.2.2. Setting User-Level Ticket Policies
Copiar o linkLink copiado para a área de transferência!
				User-level Kerberos ticket policies are set using the same commands as global policies, but the user is specified in the command.
			
				For example:
			
ipa krbtpolicy-mod jsmith --maxlife=3600
# ipa krbtpolicy-mod jsmith --maxlife=3600
  Max life: 3600Important
					User-level policies take effect immediately on the next requested ticket (such as running 
kinit), without having to restart the KDC service.
				