[Samba] How does "winbind refresh tickets" work?

Taner Tas taner76 at gmail.com
Mon Aug 19 08:31:31 UTC 2019 

Hi list,I want to make winbind kerberos ticket refresh work but I couldn't do it with configuration below:
------ smb.conf ------security = ADS
workgroup = MYDOMAINrealm = MYDOMAIN.ORG
log file = /var/log/samba/%m.loglog level = 6enable core files = no
idmap config * : backend = tdbidmap config * : range = 3000-7999idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 10000-999999
dedicated keytab file = /etc/krb5.keytabkerberos method = secrets and keytab
template shell = /bin/bash
template homedir = /home/%D/%U
winbind use default domain = yeswinbind refresh tickets = yeswinbind offline logon = yes
winbind enum groups = nowinbind enum users = nowinbind expand groups = 1winbind nested groups = yeswinbind offline logon = yes
------ common-auth ------auth    [success=2 default=ignore]      pam_unix.so nullok_secureauth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_passauth    requisite                       pam_deny.soauth    required                        pam_permit.so
------ pam_winbind.conf ------[global] krb5_auth = yes
 krb5_ccache_type = FILE cached_login = yes silent = no
------ some tests ------# net ads testjoinJoin is OK

 # klist -kKeytab name: FILE:/etc/krb5.keytabKVNO Principal---- --------------------------------------------------------------------------   2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 host/client28 at MYDOMAIN.ORG   2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 host/client28 at MYDOMAIN.ORG   2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 host/client28 at MYDOMAIN.ORG   2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 host/client28 at MYDOMAIN.ORG   2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 host/client28 at MYDOMAIN.ORG   2 client28$@MYDOMAIN.ORG   2 client28$@MYDOMAIN.ORG   2 client28$@MYDOMAIN.ORG   2 client28$@MYDOMAIN.ORG   2 client28$@MYDOMAIN.OR
$ klist Ticket cache: FILE:/tmp/krb5cc_582587Default principal: john.doe at MYDOMAIN.ORG
Valid starting       Expires              Service principal16-08-2019 17:07:46  17-08-2019 03:07:46  krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG renew until 23-08-2019 16:08:4416-08-2019 17:07:48  17-08-2019 03:07:46  HTTP/proxy.mydomain.org@ renew until 23-08-2019 16:08:4416-08-2019 17:07:48  17-08-2019 03:07:46  HTTP/proxy.mydomain.org at MYDOMAIN.ORG renew until 23-08-2019 16:08:44
According to "klist" output of user john.doe at MYDOMAIN.ORG, kerberos ticket is expired but there is still time for renew it. Can winbind capable of extend his ticket as long as his session active? Should I do some extra work to this automatic process work? In my case, after 10 hours, users can't use our web gateway (http proxy) due to the expired keys. Users should do "kinit -R" to refresh tickets which doesn't make any sense if winbind is capable of extend ticket's validation automatically with a proper configuration.
Any suggestion appreciated.
Regards.
Samba 4.10.6 (van-belle repo)Debian 10
__Taner Tas

More information about the samba mailing list