[Samba] Re: newbie question reguarding kerberos tickets
tuckerd at engr.smu.edu
Fri May 12 13:23:23 GMT 2006
I'm not sure I follow. By client, you mean my samba server that is
joined to AD? I've been running without a ticket at all for 2 weeks
now, and have yet to see a single problem. What type of bad behaviour
should I be looking for? We're using win2k3 AD, samba 3.0.22, and all
winXP desktop clients. Sorry if I'm being a pain, I'm just a bit
confused here, as I can't find any documentation on this subject. All I
see is in the installation instructions that you have to do the kinit
admin at realm and log in which gives you a ticket. My issue is my windows
guys aren't very bright and didn't even know that their AD ran anything
"called kerberos", and don't know how to change the ticket lifetime.
That concerned me because I don't want to have to set up a cron to auto
login every 24hours, so I put it on the backburner, the ticket expired,
I come back and everything is still working fine. Which got me thinking
about it's validity, which started me down this path I have digressed
to, just deleting the ticket, rebooting the machine to remove anything
from memory, resume testing, and the whole thing still works like a
charm. And so far, all I'm getting here from this user group is
everyone seems to feel like this ticket is necessary, yet no one is
taking a shot at why I'm working just fine. I'm just concerned about
going production if this is really necessary, but so far from what I've
seen, the ticket is not needed at all. Anyone else try running in this
type of environment without one?
On Thu, 2006-05-11 at 21:17 -0700, Doug VanLeuven wrote:
> When using domain logons, after resuming from a hibernate that
> exceeded the lifetime of the Kerberos ticket, the client doesn't
> immediately renew the ticket. It will auto renew, but I've not
> determined the amount of time it takes.
> Is there a way to force the client to renew the ticket? Short of
> rebooting, that is. Things don't work very well until it's renewed.
> Trying to go green. Samba client and/or XP/2000 client?
> Regards, Doug
> simo wrote:
> > Samba stores the machine password and obtains tickets from the KDC when
> > needed.
> > Simo.
> > On Thu, 2006-05-11 at 16:53 -0500, Doug Tucker wrote:
> >> Thanks. But again, is the ticket even needed? I deleted the darn
> >> thing, rebooted to make sure it wasn't cached in memory somewhere, and
> >> everything seems to be working perfectly. If it is indeed needed, and I
> >> need to extend the period, is there any directions on how to do that on
> >> the windows side?
> >> On Thu, 2006-05-11 at 23:07 +0200, Blaž Primc wrote:
> >>> Hi,
> >>> the period for which the ticket is valid can be set in Windows Server.
> >>> Best regards, Blaž.
> >>> Doug Tucker wrote:
> >>>> I recently joined a samba 3.0.22 server to AD. When I did the kinit,
> >>>> the AD gave me a 24 hour ticket with a 1 week renewal. Setting -r and
> >>>> -l to 365d did not change anything, the ticket still came back the same.
> >>>> However, my question is in reguard to whether this is really even
> >>>> needed? First, I deleted the ticket, and everything seemed to continue
> >>>> to work perfectly. Now, I let the ticket expire for a couple of weeks
> >>>> now, and yet, the samba server is working fine and users still
> >>>> authenticate against AD just fine. Am I missing something, or is the
> >>>> creation of that ticket not even needed? Thank you for your assistance.
> >>>> doug...
More information about the samba