Centrify DirectControl on all platformsQuestion:
How to set Kerberos credentials to automatically renew via group policy?Answer:
By default, an Active Directory user's Kerberos tickets are valid for 10 hours. If the Active Directory user stays logged in and their Kerberos credentials expire, then these credentials will not renew until the user logs into the machine again, or manually issues the "kinit" command in the Terminal while connected to a domain controller.
To enable automatic renewal, enable the group policy located under:
- Computer Configuration / DirectControl Settings / Kerberos Settings / "Renew credentials automatically"
This will allow the AD user's Kerberos tickets to automatically renew after they expire, even if the user is disconnected from a domain controller. This may be useful for users who work remotely.
After enabling this parameter, Centrify Suite keeps a hash of the user’s password in its memory indefinitely. If the adclient is stopped or restarted either manually or by rebooting the system, the user’s password hash will be removed from memory and the user
must be re-authenticated. By default, Kerberos credentials will be renewed every 8 hours unless a different renewal interval is set at the following location:
- Computer Configuration / DirectControl Settings / Kerberos Settings / "Set credential renewal interval"
The "Renew credentials automatically" and
"Set credential renewal interval" values can also be set manually on a single machine by editing the Centrify DirectControl configuration file directly at /etc/centrifydc/centrifydc.conf and setting the following values:
Note: After changing these values manually and saving the configuration file, run the following command to invoke the configuration update: sudo adreload
- krb5.cache.infinite.renewal: true
- krb5.cache.renew.interval: 8
Read more about these group policies on pages 63-64 of the Centrify Group Policy Guide: