[Samba] Kerberos ticket lifetime

Jason Keltz jas at eecs.yorku.ca
Thu Oct 1 12:24:20 UTC 2020

On 10/1/2020 6:57 AM, Rowland penny via samba wrote:
> On 01/10/2020 11:22, Remy Zandwijk wrote:
>>> On 1 Oct 2020, at 10:31, Rowland penny via samba 
>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>> On 01/10/2020 00:23, Jason Keltz via samba wrote:
>>>> Remy,
>>>> On the domain controller (samba-ad-dc), I have in the config: 
>>>> kdc:user ticket lifetime = 24
>>> I do not recognise that smb.conf option, could this be another 
>>> freebsd change that was never sent upstream or, if it was, it was 
>>> rejected ?
>> Uh, no?
>> https://wiki.samba.org/index.php/Samba_KDC_Settings
>> So the question is, is that info on the Wiki (still) valid and if so, 
>> why isn't it documented in the smb.conf man page?
> Well, you learn something new everyday :-)
> A quick search in 'man smb.conf' on 'kdc', turns this up:
> gpo update command (G)
> This option sets the command that is called to apply GPO policies.
> The samba−gpupdate script applies System Access and Kerberos Policies 
> to the KDC.
> System Access policies set minPwdAge, maxPwdAge, minPwdLength, and 
> pwdProperties in the samdb.
> Kerberos Policies set kdc:service ticket lifetime, kdc:user ticket 
> lifetime, and kdc:renewal lifetime in smb.conf.
> Apart from the wiki page (which dates back to 2014), that is it.
> Let me look into this further.

It would be interesting if you or someone else who is running on CentOS 
7 could try the "kdc:user ticket lifetime" on yours/their install, and 
see if it works.  The issue could invariably be to do with the MIT 
Kerberos/Heimdal compatibility stuff since I'm running on CentOS 7.   In 
this case, this should be marked as a bug, and hopefully eventually 
fixed.  I could never get the krb5_ccache_type as KEYRING to work nor 
did I get any response on the list or a bug report, but hopefully 


More information about the samba mailing list