[Samba] Kerberos ticket maximum renewable lifetime

Rowland penny rpenny at samba.org
Fri Jul 3 12:27:45 UTC 2020


On 03/07/2020 12:35, Stefan Just via samba wrote:
> A kinit needs the user's password if the Kerberos ticket maximum
> renewable lifetime has been exceeded. This is simply not possible
> because users cannot be online for weeks.

Where did you get the idea that you need the password from ?

If a user logs in and PAM is set up correctly on a Unix domain member, 
the user should get a kerberos ticket.

But as I said, you do not actually need a password, you need a keytab, 
to prove this:

rowland at devstation:~$ who
rowland  tty7         2020-06-29 11:02 (:0)

I am the only user logged in.

I use sudo from AD (and I do not use sssd) and for this you need the 
Administrators ticket (I have asked about this on the sudo-users mailing 
list, the users ticket should be enough). To keep the Administrators 
ticket valid, I run a cron job every 10 minutes and this is what 
happened this morning:

Jul  3 05:00:01 devstation CRON[19420]: (root) CMD 
(/usr/local/bin/check_key.sh)
Jul  3 05:00:01 devstation root: 03-07-20 05:00:01 [sudo_key] : Running 
check for valid kerberos ticket
Jul  3 05:00:01 devstation root: 03-07-20 05:00:01 [sudo_key] : Getting 
new ticket, old one has expired

If I check the ticket, I find this:

rowland at devstation:~$ sudo klist -c /tmp/krb5cc_0
[sudo] password for rowland:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
03/07/20 05:00:01  03/07/20 15:00:01 
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
     renew until 04/07/20 05:00:01
03/07/20 12:03:01  03/07/20 15:00:01 
ldap/dc01.samdom.example.com at SAMDOM.EXAMPLE.COM
     renew until 04/07/20 05:00:01

No passwords were used in creating the new ticket.

Rowland






More information about the samba mailing list