[Samba] Kerberos ticket lifetime
Jason Keltz
jas at eecs.yorku.ca
Thu Oct 1 12:17:11 UTC 2020
On 9/30/2020 7:23 PM, Jason Keltz wrote:
> On 9/30/2020 4:11 PM, Remy Zandwijk via samba wrote:
>
>>> On 30 Sep 2020, at 21:42, Jason Keltz via samba
>>> <samba at lists.samba.org> wrote:
>>>
>>>
>>> On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote:
>>>>>>> On the client, add:
>>>>>>>
>>>>>>> gensec_gssapi:requested_life_time = <int> # seconds
>>>>>>>
>>>>>>> to smb4.conf. E.g. a ticket life time of one hour:
>>>>>>>
>>>>>>> kdc:user ticket lifetime = 24 = 3600
>>>>>> Sorry, I should have written 'Samba member server' instead of
>>>>>> 'client', although technically speaking, the member server is an
>>>>>> AD client.
>>>>>>
>>>>> I'm a bit puzzled. I tried this on the AD client, restarted
>>>>> Samba, logged out and in, and it didn't make any difference. I
>>>>> did the same thing from the DC.
>>>>>
>>>>> I also don't see gensec_gssapi mentioned at all in the smb.conf
>>>>> man page at least for the version that we are running...
>>>> How do you know it is not working? If you set the log level to 7,
>>>> watch the log.wb-* files for lines like:
>>>>
>>>> Current tickets expire in 2187 seconds (at 1577548806, time is now
>>>> 1577546619)
>>>>
>>>> How do you determine what the ticket life time is?
>>>>
>>>>
>>>> -Remy
>>>>
>>>>
>>>> P.S. refer to
>>>> https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/
>>>> <https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/>,
>>>> that is where I got the setting from.
>>>>
>>>>
>>> Hi Remy,
>>>
>>> I just did a "klist" to see how much time was remaining on the
>>> ticket. What I was expecting was that rather than showing 10 hour
>>> expiry, the expiry would have been 1 hour.
>> I still don't understand what you are doing. Preceding the 'klist',
>> are you doing a 'kinit'? If so, how?
>>
>>
>> Now I am a bit puzzled... So you have a Samba AD on which you tried
>> to set the user ticket lifetime to 24 hours using 'kdc:user ticket
>> lifetime = 24'. And you have a machine which is client to the Samba
>> AD. Although the lifetime setting is 24 hours, the client shows a
>> ticket lifetime of 10 hours. Correct?
>>
>> What does the 'klist' output look like? I would like to see what kind
>> of tickets you get, since if these are service tickets, then you
>> might try 'kdc:service ticket lifetime = 24'.
>>
>>
>> The 'gensec_gssapi:requested_life_time' setting is for the Winbind
>> kerberos ticket. I was assuming you where talking about a Samba
>> member server, which also acts as a NFSv4 server, but I think I
>> misunderstood. Sorry.
>>
>>
>> -Remy
>
> Remy,
>
> On the domain controller (samba-ad-dc), I have in the config: kdc:user
> ticket lifetime = 24
>
> When I login to the client (which is using pam_winbind module), I have
> 10 hour ticket life.
>
> From klist output on the client:
>
> Valid starting Expires Service principal
> 09/30/2020 19:13:38 10/01/2020 05:13:37
> krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA
> renew until 10/07/2020 19:13:38
>
> 10 hours.
>
> The client is mounting from an NFS server that is also part of the
> domain.
>
> I do notice that if I modify ticket_lifetime via /etc/krb5.conf on the
> client, it only takes effect if I use kinit, and that isn't really
> testing winbind.
>
> After I understood that winbind should renew the ticket for me, I
> wanted to test that, so the intention was to change kdc:user ticket
> lifetime = 1 and see what happens in an hour on client - would the
> ticket be renewed, and I would continue to have access to the NFS
> share, or would I be receiving an error and require kinit. Even these
> "kdc:" options are not part of smb man page. I don't really
> understand why. I guess everyone keeps the defaults?
This morning, 10 hours after the original ticket, I note the following:
1) On the system I logged into via GNOME, the Kerberos ticket has been
renewed:
Yesterday it was:
Valid starting Expires Service principal
09/30/2020 19:13:38 10/01/2020 05:13:37
krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA
renew until 10/07/2020 19:13:38
Today it is:
Valid starting Expires Service principal
10/01/2020 07:58:51 10/01/2020 17:58:50
krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA
renew until 10/08/2020 07:58:51
That worked. Nice.
However, I had also SSHed to another Linux system in the domain with a
forwarded Kerberos ticket. That system also uses pam_winbind. On that
one, the auto renewal did not work.
Yesterday:
Valid starting Expires Service principal
09/30/2020 21:20:37 10/01/2020 07:13:34
krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA
renew until 10/07/2020 19:13:38
Today:
Valid starting Expires Service principal
09/30/2020 21:20:37 10/01/2020 07:13:34
krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA
renew until 10/07/2020 19:13:38
% ls
ls: cannot open directory .: Key has expired
I can't, of course, kinit -R because the ticket has expired. I tried it
just for fun:
> % kinit -R
> kinit: Ticket expired while renewing credentials
I have two options. I can "kinit" on the system, and the ticket would
be renewed. I also did an ssh to the system from another window, and now:
Valid starting Expires Service principal
10/01/2020 08:09:10 10/01/2020 17:58:50
krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA
renew until 10/08/2020 07:58:51
The new ticket comes through. Now an "ls" works on the NFS mount.
So why is it that winbind renews the ticket on the original system, but
on the system that I ssh to, it does not.
Jason.
More information about the samba
mailing list