[Samba] Kerberos ticket lifetime
jas at eecs.yorku.ca
Thu Oct 1 12:24:20 UTC 2020
On 10/1/2020 6:57 AM, Rowland penny via samba wrote:
> On 01/10/2020 11:22, Remy Zandwijk wrote:
>>> On 1 Oct 2020, at 10:31, Rowland penny via samba
>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>> On 01/10/2020 00:23, Jason Keltz via samba wrote:
>>>> On the domain controller (samba-ad-dc), I have in the config:
>>>> kdc:user ticket lifetime = 24
>>> I do not recognise that smb.conf option, could this be another
>>> freebsd change that was never sent upstream or, if it was, it was
>>> rejected ?
>> Uh, no?
>> So the question is, is that info on the Wiki (still) valid and if so,
>> why isn't it documented in the smb.conf man page?
> Well, you learn something new everyday :-)
> A quick search in 'man smb.conf' on 'kdc', turns this up:
> gpo update command (G)
> This option sets the command that is called to apply GPO policies.
> The samba−gpupdate script applies System Access and Kerberos Policies
> to the KDC.
> System Access policies set minPwdAge, maxPwdAge, minPwdLength, and
> pwdProperties in the samdb.
> Kerberos Policies set kdc:service ticket lifetime, kdc:user ticket
> lifetime, and kdc:renewal lifetime in smb.conf.
> Apart from the wiki page (which dates back to 2014), that is it.
> Let me look into this further.
It would be interesting if you or someone else who is running on CentOS
7 could try the "kdc:user ticket lifetime" on yours/their install, and
see if it works. The issue could invariably be to do with the MIT
Kerberos/Heimdal compatibility stuff since I'm running on CentOS 7. In
this case, this should be marked as a bug, and hopefully eventually
fixed. I could never get the krb5_ccache_type as KEYRING to work nor
did I get any response on the list or a bug report, but hopefully
More information about the samba