[Samba] Re: newbie question reguarding kerberos tickets

simo idra at samba.org
Fri May 12 13:42:29 GMT 2006


Doug,
you don't need any login to make samba work in an AD environment.
At the join samba creates a machine account in a domain, and stores the
machine password in the secrets.tdb file. When samba needs to do some
operation with the domain it just need to use that account to request
tickets from the KDC.
It is just like any other windows host out there.

Simo.

On Fri, 2006-05-12 at 08:23 -0500, Doug Tucker wrote:
> I'm not sure I follow.  By client, you mean my samba server that is
> joined to AD?  I've been running without a ticket at all for 2 weeks
> now, and have yet to see a single problem.  What type of bad behaviour
> should I be looking for?  We're using win2k3 AD, samba 3.0.22, and all
> winXP desktop clients.  Sorry if I'm being a pain, I'm just a bit
> confused here, as I can't find any documentation on this subject.  All I
> see is in the installation instructions that you have to do the kinit
> admin at realm and log in which gives you a ticket.  My issue is my windows
> guys aren't very bright and didn't even know that their AD ran anything
> "called kerberos", and don't know how to change the ticket lifetime.
> That concerned me because I don't want to have to set up a cron to auto
> login every 24hours, so I put it on the backburner, the ticket expired,
> I come back and everything is still working fine.  Which got me thinking
> about it's validity, which started me down this path I have digressed
> to, just deleting the ticket, rebooting the machine to remove anything
> from memory, resume testing, and the whole thing still works like a
> charm.  And so far, all I'm getting here from this user group is
> everyone seems to feel like this ticket is necessary, yet no one is
> taking a shot at why I'm working just fine.  I'm just concerned about
> going production if this is really necessary, but so far from what I've
> seen, the ticket is not needed at all.  Anyone else try running in this
> type of environment without one?
> 
> 
> On Thu, 2006-05-11 at 21:17 -0700, Doug VanLeuven wrote:
> > When using domain logons, after resuming from a hibernate that
> > exceeded the lifetime of the Kerberos ticket, the client doesn't
> > immediately renew the ticket.  It will auto renew, but I've not
> > determined the amount of time it takes.
> > Is there a way to force the client to renew the ticket?  Short of
> > rebooting, that is.  Things don't work very well until it's renewed.
> > Trying to go green.  Samba client and/or XP/2000 client?
> > 
> > Regards, Doug
> > 
> > 
> > simo wrote:
> > > Samba stores the machine password and obtains tickets from the KDC when
> > > needed.
> > > 
> > > Simo.
> > > 
> > > On Thu, 2006-05-11 at 16:53 -0500, Doug Tucker wrote:
> > >> Thanks.  But again, is the ticket even needed?  I deleted the darn
> > >> thing, rebooted to make sure it wasn't cached in memory somewhere, and
> > >> everything seems to be working perfectly.  If it is indeed needed, and I
> > >> need to extend the period, is there any directions on how to do that on
> > >> the windows side?
> > >>
> > >>
> > >> On Thu, 2006-05-11 at 23:07 +0200, Blaž Primc wrote:
> > >>> Hi,
> > >>>
> > >>> the period for which the ticket is valid can be set in Windows Server.
> > >>>
> > >>> Best regards, Blaž.
> > >>>
> > >>> Doug Tucker wrote:
> > >>>> I recently joined a samba 3.0.22 server to AD.  When I did the kinit,
> > >>>> the AD gave me a 24 hour ticket with a 1 week renewal.  Setting -r and
> > >>>> -l to 365d did not change anything, the ticket still came back the same.
> > >>>> However, my question is in reguard to whether this is really even
> > >>>> needed?  First, I deleted the ticket, and everything seemed to continue
> > >>>> to work perfectly.  Now, I let the ticket expire for a couple of weeks
> > >>>> now, and yet, the samba server is working fine and users still
> > >>>> authenticate against AD just fine.  Am I missing something, or is the
> > >>>> creation of that ticket not even needed?  Thank you for your assistance.
> > >>>>
> > >>>> doug...
> > >>>>
> > 
-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org



More information about the samba mailing list