[Samba] How does "winbind refresh tickets" work?
L.P.H. van Belle
belle at bazuin.nl
Mon Aug 19 08:47:53 UTC 2019
Hai,
Below is a bit garbled, but what about.
What did you set for you proxy server?
Did you enable the "This computer is allowed to Delegate (only kerberos )
samba-tool delegation for-any-service COMPUTERNAME$ on
And have you tried to increase the ticket lifetime in /etc/krb5.conf
For example: ticket_lifetime = 24h
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Taner Tas via samba
> Verzonden: maandag 19 augustus 2019 10:32
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] How does "winbind refresh tickets" work?
>
> Hi list,I want to make winbind kerberos ticket refresh work
> but I couldn't do it with configuration below:
> ------ smb.conf ------security = ADS
> workgroup = MYDOMAINrealm = MYDOMAIN.ORG
> log file = /var/log/samba/%m.loglog level = 6enable core files = no
> idmap config * : backend = tdbidmap config * : range =
> 3000-7999idmap config MYDOMAIN : backend = rid
> idmap config MYDOMAIN : range = 10000-999999
> dedicated keytab file = /etc/krb5.keytabkerberos method =
> secrets and keytab
> template shell = /bin/bash
> template homedir = /home/%D/%U
> winbind use default domain = yeswinbind refresh tickets =
> yeswinbind offline logon = yes
> winbind enum groups = nowinbind enum users = nowinbind expand
> groups = 1winbind nested groups = yeswinbind offline logon = yes
> ------ common-auth ------auth [success=2 default=ignore]
> pam_unix.so nullok_secureauth [success=1
> default=ignore] pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_passauth
> requisite pam_deny.soauth required
> pam_permit.so
> ------ pam_winbind.conf ------[global] krb5_auth = yes
> krb5_ccache_type = FILE cached_login = yes silent = no
> ------ some tests ------# net ads testjoinJoin is OK
>
> # klist -kKeytab name: FILE:/etc/krb5.keytabKVNO
> Principal----
> --------------------------------------------------------------
> ------------ 2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG 2
> host/client28 at MYDOMAIN.ORG 2
> host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG 2
> host/client28 at MYDOMAIN.ORG 2
> host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG 2
> host/client28 at MYDOMAIN.ORG 2
> host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG 2
> host/client28 at MYDOMAIN.ORG 2
> host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG 2
> host/client28 at MYDOMAIN.ORG 2 client28$@MYDOMAIN.ORG 2
> client28$@MYDOMAIN.ORG 2 client28$@MYDOMAIN.ORG 2
> client28$@MYDOMAIN.ORG 2 client28$@MYDOMAIN.OR
> $ klist Ticket cache: FILE:/tmp/krb5cc_582587Default
> principal: john.doe at MYDOMAIN.ORG
> Valid starting Expires Service
> principal16-08-2019 17:07:46 17-08-2019 03:07:46
> krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG renew until 23-08-2019
> 16:08:4416-08-2019 17:07:48 17-08-2019 03:07:46
> HTTP/proxy.mydomain.org@ renew until 23-08-2019
> 16:08:4416-08-2019 17:07:48 17-08-2019 03:07:46
> HTTP/proxy.mydomain.org at MYDOMAIN.ORG renew until 23-08-2019 16:08:44
> According to "klist" output of user john.doe at MYDOMAIN.ORG,
> kerberos ticket is expired but there is still time for renew
> it. Can winbind capable of extend his ticket as long as his
> session active? Should I do some extra work to this automatic
> process work? In my case, after 10 hours, users can't use our
> web gateway (http proxy) due to the expired keys. Users
> should do "kinit -R" to refresh tickets which doesn't make
> any sense if winbind is capable of extend ticket's validation
> automatically with a proper configuration.
> Any suggestion appreciated.
> Regards.
> Samba 4.10.6 (van-belle repo)Debian 10
> __Taner Tas
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list