Question:How to configure a group for automatic Kerberos Credentials for infinite renewal?
Answer:Starting DirectControl 5.2.3 [Centrify Server 2015.1 release] Centrify Administrator can specify groups whose members’ Kerberos credentials require infinite renewal even after the group members have logged out.
Example usage:1. Edit
centrifydc.conf2.
krb5.cache.infinite.renewal.batch.groups: test_group_sam@example.com3. Restart DirectControl Agent (adclient) or run adreload to apply the latest configurationOption Explanation:Use this configuration parameter in centrifydc.conf to specify a list of Active Directory groups whose members’ Kerberos credentials require infinite renewal even after the users have logged out. Groups that you specify must be Active Directory groups, but do not need to be zone enabled. However, only zone enabled users in a group will have their credentials automatically renewed.
You must use the following format to specify group names:
SamAccountName@domainBy default, this parameter does not list any groups. If a user is removed from the group the keytab file generated will be removed the next time adreload is ran or adclient is restarted.
For users please review:
KB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out?For more information, please see attach Centrify Hadoop Guide