5 files changed, 41 insertions, 4 deletions

diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 149a352f..545ddc9e 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -140,7 +140,8 @@ struct dp_option ipa_def_krb5_opts[] = {
     { "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
     { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-    { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }
+    { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }
 };
 
 int ipa_get_options(TALLOC_CTX *memctx,
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index 33b325c0..be0f361a 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -40,7 +40,7 @@ struct ipa_service {
 /* the following define is used to keep track of the options in the krb5
  * module, so that if they change and ipa is not updated correspondingly
  * this will trigger a runtime abort error */
-#define IPA_KRB5_OPTS_TEST 10
+#define IPA_KRB5_OPTS_TEST 11
 
 enum ipa_basic_opt {
     IPA_DOMAIN = 0,
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 2a2ed9b4..f29869bc 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1179,8 +1179,22 @@ static int krb5_child_setup(struct krb5_req *kr, uint32_t offline)
         krb5_get_init_creds_opt_set_renew_life(kr->options, lifetime);
     }
 
+    lifetime_str = getenv(SSSD_KRB5_LIFETIME);
+    if (lifetime_str == NULL) {
+        DEBUG(7, ("Cannot read [%s] from environment.\n",
+                  SSSD_KRB5_LIFETIME));
+    } else {
+        kerr = krb5_string_to_deltat(lifetime_str, &lifetime);
+        if (kerr != 0) {
+            DEBUG(1, ("krb5_string_to_deltat failed for [%s].\n",
+                      lifetime_str));
+            KRB5_DEBUG(1, kerr);
+            goto failed;
+        }
+        krb5_get_init_creds_opt_set_tkt_life(kr->options, lifetime);
+    }
+
 /* TODO: set options, e.g.
- *  krb5_get_init_creds_opt_set_tkt_life
  *  krb5_get_init_creds_opt_set_forwardable
  *  krb5_get_init_creds_opt_set_proxiable
  *  krb5_get_init_creds_opt_set_etype_list
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 1a62bbe3..7ee4d09f 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -41,7 +41,8 @@ struct dp_option default_krb5_opts[] = {
     { "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING },
     { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
-    { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }
+    { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING },
+    { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }
 };
 
 errno_t check_and_export_options(struct dp_option *opts,
@@ -88,6 +89,25 @@ errno_t check_and_export_options(struct dp_option *opts,
         }
     }
 
+    str = dp_opt_get_string(opts, KRB5_LIFETIME);
+    if (str == NULL) {
+        DEBUG(5, ("No TGT lifetime configured.\n"));
+    } else {
+        ret = krb5_string_to_deltat(str, &lifetime);
+        if (ret != 0) {
+            DEBUG(1, ("Invalid value [%s] for krb5_lifetime.\n",
+                      str));
+            return EINVAL;
+        }
+
+        ret = setenv(SSSD_KRB5_LIFETIME, str, 1);
+        if (ret != EOK) {
+            DEBUG(2, ("setenv [%s] failed.\n",
+                      SSSD_KRB5_LIFETIME));
+            return ret;
+        }
+    }
+
     dummy = dp_opt_get_cstring(opts, KRB5_KDC);
     if (dummy == NULL) {
         DEBUG(1, ("No KDC explicitly configured, using defaults.\n"));
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 15ef437b..01d2dbfc 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -36,6 +36,7 @@
 #define SSSD_KRB5_KDC "SSSD_KRB5_KDC"
 #define SSSD_KRB5_REALM "SSSD_KRB5_REALM"
 #define SSSD_KRB5_RENEWABLE_LIFETIME "SSSD_KRB5_RENEWABLE_LIFETIME"
+#define SSSD_KRB5_LIFETIME "SSSD_KRB5_LIFETIME"
 
 #define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s"
 #define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s"
@@ -54,6 +55,7 @@ enum krb5_opts {
     KRB5_KPASSWD,
     KRB5_STORE_PASSWORD_IF_OFFLINE,
     KRB5_RENEWABLE_LIFETIME,
+    KRB5_LIFETIME,
 
     KRB5_OPTS
 };