[Samba] Kerberos ticket maximum renewable lifetime
Rowland penny
rpenny at samba.org
Fri Jul 3 12:27:45 UTC 2020
On 03/07/2020 12:35, Stefan Just via samba wrote:
> A kinit needs the user's password if the Kerberos ticket maximum
> renewable lifetime has been exceeded. This is simply not possible
> because users cannot be online for weeks.
Where did you get the idea that you need the password from ?
If a user logs in and PAM is set up correctly on a Unix domain member,
the user should get a kerberos ticket.
But as I said, you do not actually need a password, you need a keytab,
to prove this:
rowland at devstation:~$ who
rowland tty7 2020-06-29 11:02 (:0)
I am the only user logged in.
I use sudo from AD (and I do not use sssd) and for this you need the
Administrators ticket (I have asked about this on the sudo-users mailing
list, the users ticket should be enough). To keep the Administrators
ticket valid, I run a cron job every 10 minutes and this is what
happened this morning:
Jul 3 05:00:01 devstation CRON[19420]: (root) CMD
(/usr/local/bin/check_key.sh)
Jul 3 05:00:01 devstation root: 03-07-20 05:00:01 [sudo_key] : Running
check for valid kerberos ticket
Jul 3 05:00:01 devstation root: 03-07-20 05:00:01 [sudo_key] : Getting
new ticket, old one has expired
If I check the ticket, I find this:
rowland at devstation:~$ sudo klist -c /tmp/krb5cc_0
[sudo] password for rowland:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at SAMDOM.EXAMPLE.COM
Valid starting Expires Service principal
03/07/20 05:00:01 03/07/20 15:00:01
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
renew until 04/07/20 05:00:01
03/07/20 12:03:01 03/07/20 15:00:01
ldap/dc01.samdom.example.com at SAMDOM.EXAMPLE.COM
renew until 04/07/20 05:00:01
No passwords were used in creating the new ticket.
Rowland
More information about the samba
mailing list