[Samba] Kerberos ticket lifetime
Rowland penny
rpenny at samba.org
Thu Oct 1 08:31:55 UTC 2020
On 01/10/2020 00:23, Jason Keltz via samba wrote:
>
> Remy,
>
> On the domain controller (samba-ad-dc), I have in the config: kdc:user
> ticket lifetime = 24
I do not recognise that smb.conf option, could this be another freebsd
change that was never sent upstream or, if it was, it was rejected ?
>
> When I login to the client (which is using pam_winbind module), I have
> 10 hour ticket life.
That is the default.
>
> The client is mounting from an NFS server that is also part of the
> domain.
>
> I do notice that if I modify ticket_lifetime via /etc/krb5.conf on the
> client, it only takes effect if I use kinit, and that isn't really
> testing winbind.
>
> After I understood that winbind should renew the ticket for me, I
> wanted to test that, so the intention was to change kdc:user ticket
> lifetime = 1 and see what happens in an hour on client - would the
> ticket be renewed, and I would continue to have access to the NFS
> share, or would I be receiving an error and require kinit. Even these
> "kdc:" options are not part of smb man page. I don't really
> understand why. I guess everyone keeps the defaults?
Provided you have 'winbind refresh tickets = yes' in the smb.conf on the
Unix domain member, the users tickets will be renewed when required.
Rowland
More information about the samba
mailing list