[Samba] Kerberos ticket maximum renewable lifetime

Stefan Just just at tuhh.de
Fri Jul 3 12:52:10 UTC 2020



Am 03.07.20 um 13:35 schrieb Stefan Just via samba:
> 
> 
> Am 03.07.20 um 13:05 schrieb Rowland penny via samba:
>> On 03/07/2020 11:33, Stefan Just via samba wrote:
>>> We are using tmux, screen and x2go to run long-running jobs on our
>>> compute servers. $HOME and other data should be mounted via CIFS or
>>> NFS4. Because such a job can run for more than a week, I would like to
>>> increase the Kerberos ticket lifetime or better the Kerberos ticket
>>> maximum renewable lifetime.
>>>
>>> I found this guide:
>>>
>>> https://wiki.samba.org/index.php/Samba_KDC_Settings
>>>
>>> Unfortunately, only settings that are smaller than the following have an
>>> effect:
>>>
>>> kdc:user ticket lifetime = 24
>>> kdc:renewal lifetime = 24
>>>
>>> There appears to be an upper limit of 24 hours that none of these
>>> settings can exceed.
>>>
>>> Thanks in advance
>>
>> You possibly could alter the ticket lifetime, but it would affect every
>> kerberos ticket.
>>
> 
> That's exactly what I want to do, I want to extend the lifetime of every
> kerberos ticket or better the Kerberos ticket maximum renewable
> lifetime. How does it work?
> 
>> A better idea would be to create users in AD just to run the program and
>> then create a script to check if the ticket is valid and run kinit if it
>> isn't, though this would also depend on a keytab.
>>
>> Rowland
>>
>>
> 
> A kinit needs the user's password if the Kerberos ticket maximum
> renewable lifetime has been exceeded. This is simply not possible
> because users cannot be online for weeks.
> 
> Stefan
> 
More specifically, we use ssh together with terminal multipexers
(screen, tmux or x2go) so that the application continues to run in the
background (detached) when the user logs out or the connection is
interrupted.
Until now, with with our old Kerberos and without an active directory,
we have extended the lifetime of the tickets with krenew-agent. But in
samba the maximum extendability is limited to only 24 hours. How can I
change this, or is there another way to run long running applications in
the background (detached)?

Thanks in advance

Stefan



More information about the samba mailing list