[Samba] Kerberos ticket lifetime
Remy Zandwijk
remy+samba at luckyhands.nl
Thu Oct 1 10:22:25 UTC 2020
> On 1 Oct 2020, at 10:31, Rowland penny via samba <samba at lists.samba.org> wrote:
>
> On 01/10/2020 00:23, Jason Keltz via samba wrote:
>>
>> Remy,
>>
>> On the domain controller (samba-ad-dc), I have in the config: kdc:user ticket lifetime = 24
> I do not recognise that smb.conf option, could this be another freebsd change that was never sent upstream or, if it was, it was rejected ?
Uh, no?
https://wiki.samba.org/index.php/Samba_KDC_Settings <https://wiki.samba.org/index.php/Samba_KDC_Settings>
So the question is, is that info on the Wiki (still) valid and if so, why isn't it documented in the smb.conf man page?
>>
>> When I login to the client (which is using pam_winbind module), I have 10 hour ticket life.
> That is the default.
>>
>> The client is mounting from an NFS server that is also part of the domain.
>>
>> I do notice that if I modify ticket_lifetime via /etc/krb5.conf on the client, it only takes effect if I use kinit, and that isn't really testing winbind.
>>
>> After I understood that winbind should renew the ticket for me, I wanted to test that, so the intention was to change kdc:user ticket lifetime = 1 and see what happens in an hour on client - would the ticket be renewed, and I would continue to have access to the NFS share, or would I be receiving an error and require kinit. Even these "kdc:" options are not part of smb man page. I don't really understand why. I guess everyone keeps the defaults?
>
> Provided you have 'winbind refresh tickets = yes' in the smb.conf on the Unix domain member, the users tickets will be renewed when required.
-Remy
More information about the samba
mailing list