Chapter 29. Managing the Kerberos Domain

This chapter describes managing the Kerberos Key Distribution Center (KDC) component of the Identity Management server.

Important

Do not use the kadmin or kadmin.local utilities to manage the Identity Management Kerberos policies. Use the native Identity Management command-line tools as described in this guide.
If you attempt to manage the Identity Management policies using the mentioned Kerberos tools, some of the operations will not affect the Identity Management configuration stored in its Directory Server instance.

29.1. Managing Kerberos Ticket Policies

Kerberos ticket policies in Identity Management set restrictions on ticket duration and renewal. Using the following procedures, you can configure Kerberos ticket policies for the Kerberos Key Distribution Center (KDC) running on your Identity Management server.

29.1.1. Determining the lifetime of a Kerberos Ticket

When an Identity Management server determines the lifetime of a ticket to be granted after an Identity Management client has requested a Kerberos ticket on behalf of user_name, several parameters are taken into account. First, client-side evaluation takes place which calculates the value to be requested on the basis of the kinit command and the ticket_lifetime setting in the /etc/krb5.conf file. The value is then sent to the Identity Management server where server-side evaluation takes place. If the requested lifetime is lower than what the global settings allow, the requested lifetime is granted. Otherwise, the lifetime granted is the value which the global settings allow.
The lifetime requested by the client on behalf of user_name is determined as follows:

On the client side

  • If you explicitly state a value for user_name in the kinit command itself by using the -l option, for example:
    $ kinit user_name -l 90000
    that value, in this case 90000 seconds, is requested by the client on behalf of user_name.
  • Else, if no lifetime value is passed in as an argument of the kinit user_name command, the value of the ticket_lifetime setting in the client’s /etc/krb5.conf file is used by the client on behalf of user_name. If no value is specified in the /etc/krb5.conf file, the default IdM value for initial ticket requests is used, which is 1 day.

On the server side

Server-side, a two-stage evaluation takes place:
  1. The value requested by the client is compared to the --maxlife setting of the user_name-specific Kerberos ticket policies if these policies exist, and the lower value of the two is selected. If user_name-specific Kerberos ticket policies do not exist, the value sent by the client is compared to the --maxlife setting of the Global Kerberos ticket policy, and the lower value of the two is selected. For details on global and user-specific Kerberos ticket policies, see Section 29.1.2, “Global and User-specific Kerberos Ticket Policies”.
  2. The value selected in the previous step is compared to two other values:
    • The value of the max_life setting in the /var/kerberos/krb5kdc/kdc.conf file
    • The value set in the krbMaxTicketLife attribute of the LDAP entry with the distinguished name (DN): krbPrincipalName=krbtgt/REALM_NAME@REALM_NAME,cn=REALM_NAME,cn=kerberos,domain_name
    The lowest of the three values is ultimately selected for the lifetime of the Kerberos ticket granted to user_name.

29.1.2. Global and User-specific Kerberos Ticket Policies

You can redefine the global Kerberos ticket policy and define additional policies specifically to individual users.
Global Kerberos ticket policy
The global policy applies to all tickets issued within the Identity Management Kerberos realm.
User-specific Kerberos ticket policies
User-specific policies apply only to the associated user account. For example, a user-specific Kerberos ticket policy can define a longer maximum ticket lifetime for the admin user.
User-specific policies take precedence over the global policy.

29.1.3. Configuring the Global Kerberos Ticket Policy

To configure the global Kerberos ticket policy, you can use:

Table 29.1. Supported Kerberos Ticket Policy Attributes

Attribute Explanation Example
Max renew
The period of time (in seconds) during which the user can renew the Kerberos ticket after its expiry. After the renew period, the user must log in using the kinit utility to get a new ticket.
To renew the ticket, use the kinit -R command.
Max renew = 604800
After the ticket expires, the user can renew it within the next 7 days (604,800 seconds).
Max life The lifetime of a Kerberos ticket (in seconds). The period during which the Kerberos ticket stays active.
Max life = 86400
The ticket expires 24 hours (86,400 seconds) after it was issued.

Web UI: Configuring the Global Kerberos Ticket Policy

  1. Select PolicyKerberos Ticket Policy.
  2. Define the required values:
    1. In the Max renew field, enter the maximum renewal period of Kerberos tickets.
    2. In the Max life field, enter the maximum lifetime of Kerberos tickets.
      Configuring the Global Kerberos Ticket Policy

      Figure 29.1. Configuring the Global Kerberos Ticket Policy

  3. Click Save.

Command Line: Configuring the Global Kerberos Ticket Policy

To modify the global Kerberos ticket policy:
  • Use the ipa krbtpolicy-mod command, and pass at least one of the following options:
    • --maxrenew to define the maximum renewal period of Kerberos tickets
    • --maxlife to define the maximum lifetime of Kerberos tickets
    For example, to change the maximum lifetime:
    $ ipa krbtpolicy-mod --maxlife=80000
    Max life: 80000
    Max renew: 604800
To reset the global Kerberos ticket policy to the original default values:
  1. Use the ipa krbtpolicy-reset command.
  2. Optional. Use the ipa krbtpolicy-show command to verify the current settings.
For details on ipa krbtpolicy-mod and ipa krbtpolicy-reset, pass the --help option with them.

29.1.4. Configuring User-specific Kerberos Ticket Policies

To modify the Kerberos ticket policy for a particular user:
  1. Use the ipa krbtpolicy-mod user_name command, and pass at least one of the following options:
    • --maxrenew to define the maximum renewal period of Kerberos tickets
    • --maxlife to define the maximum lifetime of Kerberos tickets
    If you define only one of the attributes, Identity Management will apply the global Kerberos ticket policy value for the other attribute.
    For example, to change the maximum lifetime for the admin user:
    $ ipa krbtpolicy-mod admin --maxlife=160000
    Max life: 80000
    Max renew: 604800
  2. Optional. Use the ipa krbtpolicy-show user_name command to display the current values for the specified user.
The new policy takes effect immediately on the next Kerberos ticket that the user requests, such as when using the kinit utility.
To reset a user-specific Kerberos ticket policy, use the ipa krbtpolicy-reset user_name command. The command clears the values defined specifically to the user, after which Identity Management applies the global policy values.
For details on ipa krbtpolicy-mod and ipa krbtpolicy-reset, pass the --help option with them.