Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-16280

IPA ignores the max_life setting for the KDC

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.4
    • rhel-8.8.0.z
    • ipa
    • None
    • None
    • Moderate
    • rhel-idm-uah
    • ssg_idm
    • 2
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • Iteration 2, RHELs: 10.2, 9.8
    • None
    • None
    • None

      What were you trying to do that didn't work?

      The customer wants to set the life of a Kerberos key to be in excess of 30 days, but whenever they do so the KDC only issues them a ticket that has a life of 24 hours.

      Please provide the package NVR for which bug is seen:

      • krb5-server-1.18.2-25.el8_8.x86_64
      • ipa-server-4.9.11-7.module+el8.8.0+19639+24a8b95c.x86_64

      How reproducible:

      Confirmed by PTSE

      Steps to reproduce

      1. Install a base deployment of IPA on RHEL 8.8.
      2. Edit the /var/kerberos/krb5kdc/kdc.conf file to set the max_life as 40 days and the max_renewable_life as 31 days.
      3. Request a ticket.

      Expected results

      Kerberos ticket has a lifespan of 40 days.

      Actual results

      Kerberos ticket has an expiry of 24 hours.

              jrische@redhat.com Julien Rische
              rhn-support-ccallaha Chance Callahan
              Florence Renaud Florence Renaud
              IPA QE Bot IPA QE Bot
              Votes:
              1 Vote for this issue
              Watchers:
              15 Start watching this issue

                Created:
                Updated: