[Samba] Kerberos ticket lifetime

Jason Keltz jas at eecs.yorku.ca
Thu Oct 1 19:47:10 UTC 2020

On 10/1/2020 8:41 AM, Rowland penny via samba wrote:
> On 01/10/2020 13:38, Jason Keltz via samba wrote:
>> On 10/1/2020 8:34 AM, Rowland penny via samba wrote:
>>> On 01/10/2020 13:30, Jason Keltz via samba wrote:
>>>> On 10/1/2020 8:28 AM, Rowland penny via samba wrote:
>>>>> On 01/10/2020 13:17, Jason Keltz via samba wrote:
>>>>>> So why is it that winbind renews the ticket on the original 
>>>>>> system, but on the system that I ssh to, it does not.
>>>>> Do you have 'winbind refresh tickets = yes' set on all the systems ?
>>>> Absolutely.  In fact,  both systems are using the identical 
>>>> smb.conf, identical PAM configuration, and idential pam_winbind.conf.
>>>> Jason.
>>> Thinking about it, when you login via ssh, PAM via pam-winbind 
>>> should get you a new ticket on that client.
>> It did do that.  However, I left myself logged in intentionally for > 
>> 10 hours on the system and winbind didn't auto renew the ticket.  It 
>> did renew it when I *re*sshed, but it should have renewed it on the 
>> connection that was left open as well. On the system where I logged 
>> in via GNOME and left it for > 10 hours, it did renew it.
>> Jason.
> I am now testing this on Centos 8 and I didn't get a ticket, so let me 
> look into this and get back to you.
> Rowland 

Hi Rowland,

In my case, I think I may know why pam_winbind is not renewing the 
ticket before it expires.

When I SSH from one system in the domain to another system in the 
domain, SSH is forwarding the ticket to the system.  When I do a klist 
on the destination system, I see the ticket.  Now,  I have no choice but 
to use /tmp/krb5cc_<uid> as a ticket cache (because KEYRING simply 
doesn't work with pam_winbind).  However, when I ssh, and do a klist, 
the ticket cache file is not actually FILE:/tmp/krb5cc_<uid>.  Instead, 
it is FILE:/tmp/krb5cc_1004_<10 random chars>.  I don't know if it's SSH 
that is adding the random characters, or something else, but I suspect 
that it is ssh.  SInce I assume that winbind is only looking at 
/tmp/krb5cc_<uid>, it doesn't know anything about the pending ticket 
expiry in the other file, and it would appear that's why auto ticket 
renewal is not working.   Both systems have in /etc/krb5.conf:

default_ccache_name = FILE:/tmp/krb5cc_%{uid}

(which is supposed to be the default anyway).  I don't know how to tell 
ssh that when it's forwarding the ticket to write it to 
/tmp/krb5cc_<uid> instead of /tmp/krb5cc_<uid>_<10 random chars>.

If I change KRB5CCNAME, and hard-code it to the right path, the data 
still gets written to the other file.

Hopefully you can provide some insight into this.


More information about the samba mailing list