[Samba] Kerberos ticket lifetime

[Jason Keltz]

On 10/1/2020 6:57 AM, Rowland penny via samba wrote:
> On 01/10/2020 11:22, Remy Zandwijk wrote:
>>
>>
>>> On 1 Oct 2020, at 10:31, Rowland penny via samba 
>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>>
>>> On 01/10/2020 00:23, Jason Keltz via samba wrote:
>>>>
>>>> Remy,
>>>>
>>>> On the domain controller (samba-ad-dc), I have in the config: 
>>>> kdc:user ticket lifetime = 24
>>> I do not recognise that smb.conf option, could this be another 
>>> freebsd change that was never sent upstream or, if it was, it was 
>>> rejected ?
>>
>> Uh, no?
>>
>> https://wiki.samba.org/index.php/Samba_KDC_Settings
>>
>> So the question is, is that info on the Wiki (still) valid and if so, 
>> why isn't it documented in the smb.conf man page?
>
> Well, you learn something new everyday :-)
>
> A quick search in 'man smb.conf' on 'kdc', turns this up:
>
> gpo update command (G)
>
> This option sets the command that is called to apply GPO policies.
> The samba−gpupdate script applies System Access and Kerberos Policies 
> to the KDC.
> System Access policies set minPwdAge, maxPwdAge, minPwdLength, and 
> pwdProperties in the samdb.
> Kerberos Policies set kdc:service ticket lifetime, kdc:user ticket 
> lifetime, and kdc:renewal lifetime in smb.conf.
>
> Apart from the wiki page (which dates back to 2014), that is it.
>
> Let me look into this further.

It would be interesting if you or someone else who is running on CentOS 
7 could try the "kdc:user ticket lifetime" on yours/their install, and 
see if it works.  The issue could invariably be to do with the MIT 
Kerberos/Heimdal compatibility stuff since I'm running on CentOS 7.   In 
this case, this should be marked as a bug, and hopefully eventually 
fixed.  I could never get the krb5_ccache_type as KEYRING to work nor 
did I get any response on the list or a bug report, but hopefully 
eventually.

Jason.