[Samba] Kerberos ticket lifetime

Rowland penny rpenny at samba.org
Thu Oct 1 20:46:22 UTC 2020 

On 01/10/2020 21:23, Jason Keltz via samba wrote:
>
> On 10/1/2020 4:10 PM, Rowland penny via samba wrote:
>> On 01/10/2020 20:47, Jason Keltz via samba wrote:
>>>
>>> Hi Rowland,
>>>
>>> In my case, I think I may know why pam_winbind is not renewing the 
>>> ticket before it expires.
>>>
>> I don't think it matters about the extra characters in the ticket 
>> name, I think the ticket search looks for a ticket that is owned by 
>> the user. I also don't think ssh is forwarding the ticket, it gets a 
>> new one for the user.
>>
>> If you are using RHEL7 (or a clone), you are going to love RHEL8, 
>> they have removed pam_krb5.
>>
>> I have tested the 'kdc:*****' lines in smb.conf on a Unix domain 
>> member and  they do not work for myself, I am now waiting overnight 
>> to see if a users ticket gets refreshed after 10 hours.
>
> Okay - I guess the failure of kdc: lines in smb.conf is a bug.
>
> Let's wait and see what happens with your ticket after 10 hours. Maybe 
> there's a bug there as well.
It will be in the middle of the night here, so I will report back in the 
morning, but if it is a bug (not refreshing, that is), then it is an 
RHEL one, it works on Debian.
>
> Just for fun, I tried to copy the ticket with random characters to 
> /tmp/krb5cc_<uid>, then unset KRB5CCNAME after the SSH, and I too will 
> see after 10 hours whether winbind magically renews the ticket now 
> that the ticket doesn't have the random chars in the name.
>
> I'm not using pam_krb5.  I was under the impression it's not 
> necessary.  I'm just using pam_winbind.

Ahh, I didn't get a ticket on Centos8 until I downloaded the pam-krb5 
source package from Centos7 and compiled and installed it, then set up 
PAM to use it.

>
> I thought that the reason I could ssh from one system in the domain to 
> another system in the domain while holding a valid Kerberos ticket was 
> because the TGT got forwarded from the original host to the new host, 
> but I may be misunderstanding the protocol.

I am not an expert on kerberos, but I don't think it works that way, I 
have always had to install pam-krb5 to get kerberos to work with Samba.

On RHEL8, pam-krb5 has been replaced by pam-sss, which is just a wrapper 
around sssd, which is a bit strange, even RHEL admits that you cannot 
use sssd with winbind.

Rowland

More information about the samba mailing list