[Samba] Kerberos ticket lifetime

Rowland penny rpenny at samba.org
Thu Oct 1 08:31:55 UTC 2020

On 01/10/2020 00:23, Jason Keltz via samba wrote:
> Remy,
> On the domain controller (samba-ad-dc), I have in the config: kdc:user 
> ticket lifetime = 24
I do not recognise that smb.conf option, could this be another freebsd 
change that was never sent upstream or, if it was, it was rejected ?
> When I login to the client (which is using pam_winbind module), I have 
> 10 hour ticket life.
That is the default.
> The client is mounting from an NFS server that is also part of the 
> domain.
> I do notice that if I modify ticket_lifetime via /etc/krb5.conf on the 
> client, it only takes effect if I use kinit, and that isn't really 
> testing winbind.
> After I understood that winbind should renew the ticket for me, I 
> wanted to test that, so the intention was to change kdc:user ticket 
> lifetime = 1 and see what happens in an hour on client  - would the 
> ticket be renewed, and I would continue to have access to the NFS 
> share, or would I be receiving an error and require kinit.  Even these 
> "kdc:" options are not part of smb man page.  I don't really 
> understand why.  I guess everyone keeps the defaults?

Provided you have 'winbind refresh tickets = yes' in the smb.conf on the 
Unix domain member, the users tickets will be renewed when required.


More information about the samba mailing list