[Samba] Kerberos ticket lifetime
Jason Keltz
jas at eecs.yorku.ca
Thu Oct 1 20:23:39 UTC 2020
On 10/1/2020 4:10 PM, Rowland penny via samba wrote:
> On 01/10/2020 20:47, Jason Keltz via samba wrote:
>>
>> Hi Rowland,
>>
>> In my case, I think I may know why pam_winbind is not renewing the
>> ticket before it expires.
>>
> I don't think it matters about the extra characters in the ticket
> name, I think the ticket search looks for a ticket that is owned by
> the user. I also don't think ssh is forwarding the ticket, it gets a
> new one for the user.
>
> If you are using RHEL7 (or a clone), you are going to love RHEL8, they
> have removed pam_krb5.
>
> I have tested the 'kdc:*****' lines in smb.conf on a Unix domain
> member and they do not work for myself, I am now waiting overnight to
> see if a users ticket gets refreshed after 10 hours.
Okay - I guess the failure of kdc: lines in smb.conf is a bug.
Let's wait and see what happens with your ticket after 10 hours. Maybe
there's a bug there as well.
Just for fun, I tried to copy the ticket with random characters to
/tmp/krb5cc_<uid>, then unset KRB5CCNAME after the SSH, and I too will
see after 10 hours whether winbind magically renews the ticket now that
the ticket doesn't have the random chars in the name.
I'm not using pam_krb5. I was under the impression it's not necessary.
I'm just using pam_winbind.
I thought that the reason I could ssh from one system in the domain to
another system in the domain while holding a valid Kerberos ticket was
because the TGT got forwarded from the original host to the new host,
but I may be misunderstanding the protocol.
Jason.
More information about the samba
mailing list