[Freeipa-devel] [PATCH] 77 Update krbtpolicy doc to inform that restarting krb5kdc might be needed.

Rob Crittenden rcritten at redhat.com
Tue Feb 8 15:28:59 UTC 2011


David O'Brien wrote:
> Dmitri Pal wrote:
>> On 02/07/2011 06:46 PM, David O'Brien wrote:
>>> Jenny Galipeau wrote:
>>>> Pavel Zuna wrote:
>>>>> It seems that restarting krb5kdc is only needed when changes to the
>>>>> global policy are made. Per-user policies take effect immediately
>>>>> for newly requested tickets. Can someone please confirm?
>>>> Yes, in testing this is the behavior. If the help could specify that
>>>> a ipactl restart is required after global policy change, that would
>>>> be great.
>>>> Thanks
>>>> Jenny
>>>>
>>> Please raise a suitable bugzilla to get this included in the user doc.
>>> So far I only have doc about restarting IPA services after ipa
>>> krbtpolicy-reset.
>>
>> Isn't it the same thing?
>
> I took "changes" to mean using krbtpolicy-mod and any others, not just
> -reset, which is the info I received last time.

The bottom line is that any change to the global Kerberos ticket policy 
requires a restart of the KDC to see the changes (/sbin/service krb5kdc 
restart). IMHO restarting the entire IPA world for this is overkill.

rob




More information about the Freeipa-devel mailing list