[Samba] Kerberos ticket lifetime

Jason Keltz jas at eecs.yorku.ca
Thu Oct 1 19:47:10 UTC 2020 

On 10/1/2020 8:41 AM, Rowland penny via samba wrote:
> On 01/10/2020 13:38, Jason Keltz via samba wrote:
>> On 10/1/2020 8:34 AM, Rowland penny via samba wrote:
>>
>>> On 01/10/2020 13:30, Jason Keltz via samba wrote:
>>>> On 10/1/2020 8:28 AM, Rowland penny via samba wrote:
>>>>
>>>>> On 01/10/2020 13:17, Jason Keltz via samba wrote:
>>>>>> So why is it that winbind renews the ticket on the original 
>>>>>> system, but on the system that I ssh to, it does not.
>>>>>
>>>>> Do you have 'winbind refresh tickets = yes' set on all the systems ?
>>>>
>>>> Absolutely.  In fact,  both systems are using the identical 
>>>> smb.conf, identical PAM configuration, and idential pam_winbind.conf.
>>>>
>>>> Jason.
>>>>
>>>>
>>> Thinking about it, when you login via ssh, PAM via pam-winbind 
>>> should get you a new ticket on that client.
>>
>> It did do that.  However, I left myself logged in intentionally for > 
>> 10 hours on the system and winbind didn't auto renew the ticket.  It 
>> did renew it when I *re*sshed, but it should have renewed it on the 
>> connection that was left open as well. On the system where I logged 
>> in via GNOME and left it for > 10 hours, it did renew it.
>>
>> Jason.
>>
>>
> I am now testing this on Centos 8 and I didn't get a ticket, so let me 
> look into this and get back to you.
>
> Rowland 

Hi Rowland,

In my case, I think I may know why pam_winbind is not renewing the 
ticket before it expires.

When I SSH from one system in the domain to another system in the 
domain, SSH is forwarding the ticket to the system.  When I do a klist 
on the destination system, I see the ticket.  Now,  I have no choice but 
to use /tmp/krb5cc_<uid> as a ticket cache (because KEYRING simply 
doesn't work with pam_winbind).  However, when I ssh, and do a klist, 
the ticket cache file is not actually FILE:/tmp/krb5cc_<uid>.  Instead, 
it is FILE:/tmp/krb5cc_1004_<10 random chars>.  I don't know if it's SSH 
that is adding the random characters, or something else, but I suspect 
that it is ssh.  SInce I assume that winbind is only looking at 
/tmp/krb5cc_<uid>, it doesn't know anything about the pending ticket 
expiry in the other file, and it would appear that's why auto ticket 
renewal is not working.   Both systems have in /etc/krb5.conf:

default_ccache_name = FILE:/tmp/krb5cc_%{uid}

(which is supposed to be the default anyway).  I don't know how to tell 
ssh that when it's forwarding the ticket to write it to 
/tmp/krb5cc_<uid> instead of /tmp/krb5cc_<uid>_<10 random chars>.

If I change KRB5CCNAME, and hard-code it to the right path, the data 
still gets written to the other file.

Hopefully you can provide some insight into this.

Jason.

More information about the samba mailing list