[Samba] Kerberos ticket lifetime

Remy Zandwijk remy+samba at luckyhands.nl
Thu Oct 1 10:22:25 UTC 2020

> On 1 Oct 2020, at 10:31, Rowland penny via samba <samba at lists.samba.org> wrote:
> On 01/10/2020 00:23, Jason Keltz via samba wrote:
>> Remy,
>> On the domain controller (samba-ad-dc), I have in the config: kdc:user ticket lifetime = 24
> I do not recognise that smb.conf option, could this be another freebsd change that was never sent upstream or, if it was, it was rejected ?

Uh, no?

https://wiki.samba.org/index.php/Samba_KDC_Settings <https://wiki.samba.org/index.php/Samba_KDC_Settings>

So the question is, is that info on the Wiki (still) valid and if so, why isn't it documented in the smb.conf man page?

>> When I login to the client (which is using pam_winbind module), I have 10 hour ticket life.
> That is the default.
>> The client is mounting from an NFS server that is also part of the domain.
>> I do notice that if I modify ticket_lifetime via /etc/krb5.conf on the client, it only takes effect if I use kinit, and that isn't really testing winbind.
>> After I understood that winbind should renew the ticket for me, I wanted to test that, so the intention was to change kdc:user ticket lifetime = 1 and see what happens in an hour on client  - would the ticket be renewed, and I would continue to have access to the NFS share, or would I be receiving an error and require kinit.  Even these "kdc:" options are not part of smb man page.  I don't really understand why.  I guess everyone keeps the defaults?
> Provided you have 'winbind refresh tickets = yes' in the smb.conf on the Unix domain member, the users tickets will be renewed when required.


More information about the samba mailing list