[Samba] How does "winbind refresh tickets" work?

L.P.H. van Belle belle at bazuin.nl
Mon Aug 19 08:47:53 UTC 2019


Hai, 

Below is a bit garbled, but what about. 

What did you set for you proxy server? 
Did you enable the "This computer is allowed to Delegate (only kerberos ) 
samba-tool delegation for-any-service COMPUTERNAME$ on

And have you tried to increase the ticket lifetime in /etc/krb5.conf
For example:    ticket_lifetime = 24h


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Taner Tas via samba
> Verzonden: maandag 19 augustus 2019 10:32
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] How does "winbind refresh tickets" work?
> 
> Hi list,I want to make winbind kerberos ticket refresh work 
> but I couldn't do it with configuration below:
> ------ smb.conf ------security = ADS
> workgroup = MYDOMAINrealm = MYDOMAIN.ORG
> log file = /var/log/samba/%m.loglog level = 6enable core files = no
> idmap config * : backend = tdbidmap config * : range = 
> 3000-7999idmap config MYDOMAIN : backend = rid
> idmap config MYDOMAIN : range = 10000-999999
> dedicated keytab file = /etc/krb5.keytabkerberos method = 
> secrets and keytab
> template shell = /bin/bash
> template homedir = /home/%D/%U
> winbind use default domain = yeswinbind refresh tickets = 
> yeswinbind offline logon = yes
> winbind enum groups = nowinbind enum users = nowinbind expand 
> groups = 1winbind nested groups = yeswinbind offline logon = yes
> ------ common-auth ------auth    [success=2 default=ignore]   
>    pam_unix.so nullok_secureauth    [success=1 
> default=ignore]      pam_winbind.so krb5_auth 
> krb5_ccache_type=FILE cached_login try_first_passauth    
> requisite                       pam_deny.soauth    required   
>                      pam_permit.so
> ------ pam_winbind.conf ------[global] krb5_auth = yes
>  krb5_ccache_type = FILE cached_login = yes silent = no
> ------ some tests ------# net ads testjoinJoin is OK
> 
>  # klist -kKeytab name: FILE:/etc/krb5.keytabKVNO 
> Principal---- 
> --------------------------------------------------------------
> ------------   2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 
> host/client28 at MYDOMAIN.ORG   2 
> host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 
> host/client28 at MYDOMAIN.ORG   2 
> host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 
> host/client28 at MYDOMAIN.ORG   2 
> host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 
> host/client28 at MYDOMAIN.ORG   2 
> host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 
> host/client28 at MYDOMAIN.ORG   2 client28$@MYDOMAIN.ORG   2 
> client28$@MYDOMAIN.ORG   2 client28$@MYDOMAIN.ORG   2 
> client28$@MYDOMAIN.ORG   2 client28$@MYDOMAIN.OR
> $ klist Ticket cache: FILE:/tmp/krb5cc_582587Default 
> principal: john.doe at MYDOMAIN.ORG
> Valid starting       Expires              Service 
> principal16-08-2019 17:07:46  17-08-2019 03:07:46  
> krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG renew until 23-08-2019 
> 16:08:4416-08-2019 17:07:48  17-08-2019 03:07:46  
> HTTP/proxy.mydomain.org@ renew until 23-08-2019 
> 16:08:4416-08-2019 17:07:48  17-08-2019 03:07:46  
> HTTP/proxy.mydomain.org at MYDOMAIN.ORG renew until 23-08-2019 16:08:44
> According to "klist" output of user john.doe at MYDOMAIN.ORG, 
> kerberos ticket is expired but there is still time for renew 
> it. Can winbind capable of extend his ticket as long as his 
> session active? Should I do some extra work to this automatic 
> process work? In my case, after 10 hours, users can't use our 
> web gateway (http proxy) due to the expired keys. Users 
> should do "kinit -R" to refresh tickets which doesn't make 
> any sense if winbind is capable of extend ticket's validation 
> automatically with a proper configuration.
> Any suggestion appreciated.
> Regards.
> Samba 4.10.6 (van-belle repo)Debian 10
> __Taner Tas
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list