[Samba] Kerberos ticket maximum renewable lifetime

[Stefan Just]

Great, it worked with the keytab.
Many thanks

Am 03.07.20 um 14:27 schrieb Rowland penny via samba:
> On 03/07/2020 12:35, Stefan Just via samba wrote:
>> A kinit needs the user's password if the Kerberos ticket maximum
>> renewable lifetime has been exceeded. This is simply not possible
>> because users cannot be online for weeks.
> 
> Where did you get the idea that you need the password from ?
> 
> If a user logs in and PAM is set up correctly on a Unix domain member,
> the user should get a kerberos ticket.
> 
> But as I said, you do not actually need a password, you need a keytab,
> to prove this:
> 
> rowland at devstation:~$ who
> rowland  tty7         2020-06-29 11:02 (:0)
> 
> I am the only user logged in.
> 
> I use sudo from AD (and I do not use sssd) and for this you need the
> Administrators ticket (I have asked about this on the sudo-users mailing
> list, the users ticket should be enough). To keep the Administrators
> ticket valid, I run a cron job every 10 minutes and this is what
> happened this morning:
> 
> Jul  3 05:00:01 devstation CRON[19420]: (root) CMD
> (/usr/local/bin/check_key.sh)
> Jul  3 05:00:01 devstation root: 03-07-20 05:00:01 [sudo_key] : Running
> check for valid kerberos ticket
> Jul  3 05:00:01 devstation root: 03-07-20 05:00:01 [sudo_key] : Getting
> new ticket, old one has expired
> 
> If I check the ticket, I find this:
> 
> rowland at devstation:~$ sudo klist -c /tmp/krb5cc_0
> [sudo] password for rowland:
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at SAMDOM.EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 03/07/20 05:00:01  03/07/20 15:00:01
> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>     renew until 04/07/20 05:00:01
> 03/07/20 12:03:01  03/07/20 15:00:01
> ldap/dc01.samdom.example.com at SAMDOM.EXAMPLE.COM
>     renew until 04/07/20 05:00:01
> 
> No passwords were used in creating the new ticket.
> 
> Rowland
> 
> 
> 
>