[Samba] Kerberos ticket maximum renewable lifetime

Stefan Just just at tuhh.de
Fri Jul 3 11:35:25 UTC 2020

Am 03.07.20 um 13:05 schrieb Rowland penny via samba:
> On 03/07/2020 11:33, Stefan Just via samba wrote:
>> We are using tmux, screen and x2go to run long-running jobs on our
>> compute servers. $HOME and other data should be mounted via CIFS or
>> NFS4. Because such a job can run for more than a week, I would like to
>> increase the Kerberos ticket lifetime or better the Kerberos ticket
>> maximum renewable lifetime.
>> I found this guide:
>> https://wiki.samba.org/index.php/Samba_KDC_Settings
>> Unfortunately, only settings that are smaller than the following have an
>> effect:
>> kdc:user ticket lifetime = 24
>> kdc:renewal lifetime = 24
>> There appears to be an upper limit of 24 hours that none of these
>> settings can exceed.
>> Thanks in advance
> You possibly could alter the ticket lifetime, but it would affect every
> kerberos ticket.

That's exactly what I want to do, I want to extend the lifetime of every
kerberos ticket or better the Kerberos ticket maximum renewable
lifetime. How does it work?

> A better idea would be to create users in AD just to run the program and
> then create a script to check if the ticket is valid and run kinit if it
> isn't, though this would also depend on a keytab.
> Rowland

A kinit needs the user's password if the Kerberos ticket maximum
renewable lifetime has been exceeded. This is simply not possible
because users cannot be online for weeks.


More information about the samba mailing list