[Samba] Ticket expires after 10h
Kees van Vloten
keesvanvloten at gmail.com
Tue Mar 1 00:19:59 UTC 2022
Hi team,
On my Linux desktop the krb5 ticket of my user expires after 10h. klist
just returns nothing:
$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_10004)
After kinit + password klist does show the expected output:
$ klist
Ticket cache: FILE:/tmp/krb5cc_10004
Default principal: test1 at EXAMPLE.COM
Valid starting Expires Service principal
03/01/22 00:55:34 03/01/22 10:55:28 krbtgt/EXAMPLE.COM at EXAMPLE.COM
On the desktop I run Bullseye with stock Samba (4.13.13) and winbind for
nss and pam, the DCs are running on 4.15.5 from Louis' repo.
/etc/samba/smb.conf:
[global]
interfaces = lo
bind interfaces only = yes
netbios name = DESKTOP1
security = ADS
realm = EXAMPLE.COM
workgroup = EXAMPLE
idmap config example:backend = ad
idmap config example:schema_mode = rfc2307
idmap config example:unix_primary_group = yes
idmap config example:unix_nss_info = yes
idmap config example:range = 1001-100000
idmap config *:backend = tdb
idmap config *:range = 1000000-1999999
winbind nss info = rfc2307
winbind cache time = 300
winbind enum groups = no
winbind enum users = no
winbind expand groups = 10
winbind normalize names = no
winbind offline logon = yes
lock directory = /var/cache/samba
winbind refresh tickets = yes
winbind scan trusted domains = no
winbind use default domain = yes
kerberos method = secrets and keytab
kerberos encryption types = strong
rpc server dynamic port range = 50000-55000
ntlm auth = mschapv2-and-ntlmv2-only
disable netbios = yes
template homedir = /home/%U
template shell = /bin/bash
tls enabled = yes
tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
tls cafile = /etc/ssl/certs/ca.pem
min domain uid = 1001
dedicated keytab file = /etc/krb5.keytab
/etc/security/pam_winbind.conf
[global]
warn_pwd_expire = 30
cached_login = yes
krb5_auth = yes
require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118
I was under the impression that winbind would renew the ticket with the
above settings.
Why is my ticket not renewed automatically?
- Kees
More information about the samba
mailing list