[Samba] Problem with Winbind and Windows Clients

Rowland penny rpenny at samba.org
Fri Mar 11 08:54:15 UTC 2016 

On 11/03/16 07:54, Oliver Werner wrote:
> Hi,
>
> i have a permanent problem with my samba members. there lost after some times his connections to DCs and i need to restart winbind.
>
> Also same problem with winds client that running 24x7. After few days i can not logged in.
>
> i think thats a problem with kerberos tickets.
>
> i have checks samba logs and found that samba member and windows client ask for new tickets and get new expiration.
>
> in my DCs i have set
>
> 	kdc:service ticket lifetime = 1
> 	kdc:user ticket lifetime = 24
> 	kdc:renewal lifetime = 120
>
> and Master krb5.conf looks
>
> [libdefaults]
> 	default_realm = HQ.KONTRAST
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 	ticket_lifetime = 1d
> 	renew_lifetime = 5d
>
> [realms]
>     HQ.KONTRAST = {
>        kdc = vl0227.hq.kontrast
>        kdc = vl0230.hq.kontrast
>        kdc = pl0231.hq.kontrast
>        master_kdc = vl0227.hq.kontrast
>        admin_server = vl0227.hq.kontrast
>     }
>
> [domain_realm]
> 	.hq.kontrast = HQ.KONTRAST
> 	hq.kontrast = HQ.KONTRAST
>
> [logging]
> 	kdc = SYSLOG:INFO:DAEMON
> 	admin_server            = FILE:/var/log/kadmind.log
>
>
> So what i saw was GPOs are default empty. i need for winbind configure Kerberos Policy?
>

I think you may be over-thinking kerberos, where did you get:

     kdc:service ticket lifetime = 1
     kdc:user ticket lifetime = 24
     kdc:renewal lifetime = 120

Also where did you set it ?

You have this in krb5.conf:

     dns_lookup_kdc = true

and this:

[realms]
    HQ.KONTRAST = {
       kdc = vl0227.hq.kontrast
       kdc = vl0230.hq.kontrast
       kdc = pl0231.hq.kontrast
       master_kdc = vl0227.hq.kontrast
       admin_server = vl0227.hq.kontrast
    }

man krb5.conf  contains this:

dns_lookup_kdc
     Indicate whether DNS SRV records should be used to locate the KDCs 
and other servers for a realm, if they are not listed in the information 
for the realm. The default is to use these records.

You seem to be overriding the defaults, I would reset krb5.conf (on all 
samba machines) to just this:

[libdefaults]
     default_realm = HQ.KONTRAST
     dns_lookup_realm = false
     dns_lookup_kdc = true

Rowland

More information about the samba mailing list