[Samba] Kerberos ticket lifetime
Jason Keltz
jas at eecs.yorku.ca
Fri Oct 2 12:01:37 UTC 2020
On 10/2/2020 5:25 AM, Rowland penny via samba wrote:
> On 01/10/2020 21:46, Rowland penny via samba wrote:
>> On 01/10/2020 21:23, Jason Keltz via samba wrote:
>>>
>>>
>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug.
>>>
>>> Let's wait and see what happens with your ticket after 10 hours.
>>> Maybe there's a bug there as well.
>> It will be in the middle of the night here, so I will report back in
>> the morning, but if it is a bug (not refreshing, that is), then it is
>> an RHEL one, it works on Debian.
>
> OK, I still have a valid kerberos ticket, it just doesn't seem to have
> been refreshed when I expected :-\
>
> Old ticket:
>
> Ticket cache: FILE:/tmp/krb5cc_10000
> Default principal: rowland at SAMDOM.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 01/10/20 15:34:44 02/10/20 01:34:44
> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> renew until 08/10/20 15:34:44
> 01/10/20 15:34:44 02/10/20 01:34:44 CEN8$@SAMDOM.EXAMPLE.COM
> renew until 08/10/20 15:34:44
>
> New ticket:
>
> Ticket cache: FILE:/tmp/krb5cc_10000
> Default principal: rowland at SAMDOM.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 02/10/20 06:41:20 02/10/20 16:41:20
> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> renew until 08/10/20 15:41:17
In your case, did you ssh to "centos8", or you just logged into it via a
GUI? When I login via the GUI, winbind renews the key. When I ssh, it
does not. On your destination system, the ticket cache is still
/tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>.
In my case, even after I copied the /tmp/krb5cc_UID_<random bits> back
to /tmp/krb5cc_UID, winbind also did not renew the key. sigh.
Jason.
More information about the samba
mailing list