[Samba] Kerberos ticket lifetime

[Rowland penny]

On 02/10/2020 13:01, Jason Keltz via samba wrote:
> On 10/2/2020 5:25 AM, Rowland penny via samba wrote:
>
>> On 01/10/2020 21:46, Rowland penny via samba wrote:
>>> On 01/10/2020 21:23, Jason Keltz via samba wrote:
>>>>
>>>>
>>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug.
>>>>
>>>> Let's wait and see what happens with your ticket after 10 hours. 
>>>> Maybe there's a bug there as well.
>>> It will be in the middle of the night here, so I will report back in 
>>> the morning, but if it is a bug (not refreshing, that is), then it 
>>> is an RHEL one, it works on Debian.
>>
>> OK, I still have a valid kerberos ticket, it just doesn't seem to 
>> have been refreshed when I expected :-\
>>
>> Old ticket:
>>
>> Ticket cache: FILE:/tmp/krb5cc_10000
>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>
>> Valid starting     Expires            Service principal
>> 01/10/20 15:34:44  02/10/20 01:34:44 
>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>>     renew until 08/10/20 15:34:44
>> 01/10/20 15:34:44  02/10/20 01:34:44  CEN8$@SAMDOM.EXAMPLE.COM
>>     renew until 08/10/20 15:34:44
>>
>> New ticket:
>>
>> Ticket cache: FILE:/tmp/krb5cc_10000
>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>
>> Valid starting     Expires            Service principal
>> 02/10/20 06:41:20  02/10/20 16:41:20 
>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>>     renew until 08/10/20 15:41:17 
>
> In your case, did you ssh to "centos8", or you just logged into it via 
> a GUI?  When I login via the GUI, winbind renews the key. When I ssh, 
> it does not.  On your destination system, the ticket cache is still 
> /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>.
>
> In my case, even after I copied the /tmp/krb5cc_UID_<random bits> back 
> to /tmp/krb5cc_UID, winbind also did not renew the key. sigh.
>
> Jason.
>
>
I logged in via 'ssh' and until I added pam_krb5, I didn't get a ticket. 
I think your problem is the lack of pam_krb5

Rowland