[Samba] Kerberos ticket lifetime
Rowland penny
rpenny at samba.org
Thu Oct 1 20:46:22 UTC 2020
On 01/10/2020 21:23, Jason Keltz via samba wrote:
>
> On 10/1/2020 4:10 PM, Rowland penny via samba wrote:
>> On 01/10/2020 20:47, Jason Keltz via samba wrote:
>>>
>>> Hi Rowland,
>>>
>>> In my case, I think I may know why pam_winbind is not renewing the
>>> ticket before it expires.
>>>
>> I don't think it matters about the extra characters in the ticket
>> name, I think the ticket search looks for a ticket that is owned by
>> the user. I also don't think ssh is forwarding the ticket, it gets a
>> new one for the user.
>>
>> If you are using RHEL7 (or a clone), you are going to love RHEL8,
>> they have removed pam_krb5.
>>
>> I have tested the 'kdc:*****' lines in smb.conf on a Unix domain
>> member and they do not work for myself, I am now waiting overnight
>> to see if a users ticket gets refreshed after 10 hours.
>
> Okay - I guess the failure of kdc: lines in smb.conf is a bug.
>
> Let's wait and see what happens with your ticket after 10 hours. Maybe
> there's a bug there as well.
It will be in the middle of the night here, so I will report back in the
morning, but if it is a bug (not refreshing, that is), then it is an
RHEL one, it works on Debian.
>
> Just for fun, I tried to copy the ticket with random characters to
> /tmp/krb5cc_<uid>, then unset KRB5CCNAME after the SSH, and I too will
> see after 10 hours whether winbind magically renews the ticket now
> that the ticket doesn't have the random chars in the name.
>
> I'm not using pam_krb5. I was under the impression it's not
> necessary. I'm just using pam_winbind.
Ahh, I didn't get a ticket on Centos8 until I downloaded the pam-krb5
source package from Centos7 and compiled and installed it, then set up
PAM to use it.
>
> I thought that the reason I could ssh from one system in the domain to
> another system in the domain while holding a valid Kerberos ticket was
> because the TGT got forwarded from the original host to the new host,
> but I may be misunderstanding the protocol.
I am not an expert on kerberos, but I don't think it works that way, I
have always had to install pam-krb5 to get kerberos to work with Samba.
On RHEL8, pam-krb5 has been replaced by pam-sss, which is just a wrapper
around sssd, which is a bit strange, even RHEL admits that you cannot
use sssd with winbind.
Rowland
More information about the samba
mailing list