[Samba] How does "winbind refresh tickets" work?

Rowland penny rpenny at samba.org
Mon Aug 19 08:59:30 UTC 2019 

On 19/08/2019 09:31, Taner Tas via samba wrote:
> Hi list,I want to make winbind kerberos ticket refresh work but I couldn't do it with configuration below:
> ------ smb.conf ------security = ADS
> workgroup = MYDOMAINrealm = MYDOMAIN.ORG
> log file = /var/log/samba/%m.loglog level = 6enable core files = no
> idmap config * : backend = tdbidmap config * : range = 3000-7999idmap config MYDOMAIN : backend = rid
> idmap config MYDOMAIN : range = 10000-999999
> dedicated keytab file = /etc/krb5.keytabkerberos method = secrets and keytab
> template shell = /bin/bash
> template homedir = /home/%D/%U
> winbind use default domain = yeswinbind refresh tickets = yeswinbind offline logon = yes
> winbind enum groups = nowinbind enum users = nowinbind expand groups = 1winbind nested groups = yeswinbind offline logon = yes
> ------ common-auth ------auth    [success=2 default=ignore]      pam_unix.so nullok_secureauth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_passauth    requisite                       pam_deny.soauth    required                        pam_permit.so
> ------ pam_winbind.conf ------[global] krb5_auth = yes
>   krb5_ccache_type = FILE cached_login = yes silent = no
> ------ some tests ------# net ads testjoinJoin is OK
>
>   # klist -kKeytab name: FILE:/etc/krb5.keytabKVNO Principal---- --------------------------------------------------------------------------   2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 host/client28 at MYDOMAIN.ORG   2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 host/client28 at MYDOMAIN.ORG   2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 host/client28 at MYDOMAIN.ORG   2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 host/client28 at MYDOMAIN.ORG   2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG   2 host/client28 at MYDOMAIN.ORG   2 client28$@MYDOMAIN.ORG   2 client28$@MYDOMAIN.ORG   2 client28$@MYDOMAIN.ORG   2 client28$@MYDOMAIN.ORG   2 client28$@MYDOMAIN.OR
> $ klist Ticket cache: FILE:/tmp/krb5cc_582587Default principal: john.doe at MYDOMAIN.ORG
> Valid starting       Expires              Service principal16-08-2019 17:07:46  17-08-2019 03:07:46  krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG renew until 23-08-2019 16:08:4416-08-2019 17:07:48  17-08-2019 03:07:46  HTTP/proxy.mydomain.org@ renew until 23-08-2019 16:08:4416-08-2019 17:07:48  17-08-2019 03:07:46  HTTP/proxy.mydomain.org at MYDOMAIN.ORG renew until 23-08-2019 16:08:44
> According to "klist" output of user john.doe at MYDOMAIN.ORG, kerberos ticket is expired but there is still time for renew it. Can winbind capable of extend his ticket as long as his session active? Should I do some extra work to this automatic process work? In my case, after 10 hours, users can't use our web gateway (http proxy) due to the expired keys. Users should do "kinit -R" to refresh tickets which doesn't make any sense if winbind is capable of extend ticket's validation automatically with a proper configuration.
> Any suggestion appreciated.
> Regards.
> Samba 4.10.6 (van-belle repo)Debian 10
> __Taner Tas

Try this: apt-get install libpam-krb5

Rowland

More information about the samba mailing list