[Samba] Re: newbie question reguarding kerberos tickets

Doug VanLeuven roamdad at sonic.net
Fri May 12 15:20:22 GMT 2006 

Simo,
I'm Doug 2.  Do you know how to initiate speedy renewal of
the tickets for the instance of a hibernated client that
sleeps thru and well past the lifetime of the ticket?

I agree that the ticket renewal happens automagically.
But for a while after waking up, the client can't access
the shares and it's enough of an issue with users to force
turning off hibernation and run them 24 hrs a day.

Sorry for being off-topic to the original post.  Trigger word was
ticket lifetime.

Doug2

simo wrote:
> Doug,
> you don't need any login to make samba work in an AD environment.
> At the join samba creates a machine account in a domain, and stores the
> machine password in the secrets.tdb file. When samba needs to do some
> operation with the domain it just need to use that account to request
> tickets from the KDC.
> It is just like any other windows host out there.
> 
> Simo.
> 
> On Fri, 2006-05-12 at 08:23 -0500, Doug Tucker wrote:
>> I'm not sure I follow.  By client, you mean my samba server that is
>> joined to AD?  I've been running without a ticket at all for 2 weeks
>> now, and have yet to see a single problem.  What type of bad behaviour
>> should I be looking for?  We're using win2k3 AD, samba 3.0.22, and all
>> winXP desktop clients.  Sorry if I'm being a pain, I'm just a bit
>> confused here, as I can't find any documentation on this subject.  All I
>> see is in the installation instructions that you have to do the kinit
>> admin at realm and log in which gives you a ticket.  My issue is my windows
>> guys aren't very bright and didn't even know that their AD ran anything
>> "called kerberos", and don't know how to change the ticket lifetime.
>> That concerned me because I don't want to have to set up a cron to auto
>> login every 24hours, so I put it on the backburner, the ticket expired,
>> I come back and everything is still working fine.  Which got me thinking
>> about it's validity, which started me down this path I have digressed
>> to, just deleting the ticket, rebooting the machine to remove anything
>> from memory, resume testing, and the whole thing still works like a
>> charm.  And so far, all I'm getting here from this user group is
>> everyone seems to feel like this ticket is necessary, yet no one is
>> taking a shot at why I'm working just fine.  I'm just concerned about
>> going production if this is really necessary, but so far from what I've
>> seen, the ticket is not needed at all.  Anyone else try running in this
>> type of environment without one?
>>
>>
>> On Thu, 2006-05-11 at 21:17 -0700, Doug VanLeuven wrote:
>>> When using domain logons, after resuming from a hibernate that
>>> exceeded the lifetime of the Kerberos ticket, the client doesn't
>>> immediately renew the ticket.  It will auto renew, but I've not
>>> determined the amount of time it takes.
>>> Is there a way to force the client to renew the ticket?  Short of
>>> rebooting, that is.  Things don't work very well until it's renewed.
>>> Trying to go green.  Samba client and/or XP/2000 client?
>>>
>>> Regards, Doug
>>>
>>>
>>> simo wrote:
>>>> Samba stores the machine password and obtains tickets from the KDC when
>>>> needed.
>>>>
>>>> Simo.
>>>>
>>>> On Thu, 2006-05-11 at 16:53 -0500, Doug Tucker wrote:
>>>>> Thanks.  But again, is the ticket even needed?  I deleted the darn
>>>>> thing, rebooted to make sure it wasn't cached in memory somewhere, and
>>>>> everything seems to be working perfectly.  If it is indeed needed, and I
>>>>> need to extend the period, is there any directions on how to do that on
>>>>> the windows side?
>>>>>
>>>>>
>>>>> On Thu, 2006-05-11 at 23:07 +0200, Blaž Primc wrote:
>>>>>> Hi,
>>>>>>
>>>>>> the period for which the ticket is valid can be set in Windows Server.
>>>>>>
>>>>>> Best regards, Blaž.
>>>>>>
>>>>>> Doug Tucker wrote:
>>>>>>> I recently joined a samba 3.0.22 server to AD.  When I did the kinit,
>>>>>>> the AD gave me a 24 hour ticket with a 1 week renewal.  Setting -r and
>>>>>>> -l to 365d did not change anything, the ticket still came back the same.
>>>>>>> However, my question is in reguard to whether this is really even
>>>>>>> needed?  First, I deleted the ticket, and everything seemed to continue
>>>>>>> to work perfectly.  Now, I let the ticket expire for a couple of weeks
>>>>>>> now, and yet, the samba server is working fine and users still
>>>>>>> authenticate against AD just fine.  Am I missing something, or is the
>>>>>>> creation of that ticket not even needed?  Thank you for your assistance.
>>>>>>>
>>>>>>> doug...
>>>>>>>

More information about the samba mailing list