[Samba] Kerberos ticket lifetime

Jason Keltz jas at eecs.yorku.ca
Thu Oct 1 20:23:39 UTC 2020

On 10/1/2020 4:10 PM, Rowland penny via samba wrote:
> On 01/10/2020 20:47, Jason Keltz via samba wrote:
>> Hi Rowland,
>> In my case, I think I may know why pam_winbind is not renewing the 
>> ticket before it expires.
> I don't think it matters about the extra characters in the ticket 
> name, I think the ticket search looks for a ticket that is owned by 
> the user. I also don't think ssh is forwarding the ticket, it gets a 
> new one for the user.
> If you are using RHEL7 (or a clone), you are going to love RHEL8, they 
> have removed pam_krb5.
> I have tested the 'kdc:*****' lines in smb.conf on a Unix domain 
> member and  they do not work for myself, I am now waiting overnight to 
> see if a users ticket gets refreshed after 10 hours.

Okay - I guess the failure of kdc: lines in smb.conf is a bug.

Let's wait and see what happens with your ticket after 10 hours. Maybe 
there's a bug there as well.

Just for fun, I tried to copy the ticket with random characters to 
/tmp/krb5cc_<uid>, then unset KRB5CCNAME after the SSH, and I too will 
see after 10 hours whether winbind magically renews the ticket now that 
the ticket doesn't have the random chars in the name.

I'm not using pam_krb5.  I was under the impression it's not necessary.  
I'm just using pam_winbind.

I thought that the reason I could ssh from one system in the domain to 
another system in the domain while holding a valid Kerberos ticket was 
because the TGT got forwarded from the original host to the new host, 
but I may be misunderstanding the protocol.


More information about the samba mailing list