[Samba] Kerberos ticket lifetime
L.P.H. van Belle
belle at bazuin.nl
Fri Oct 2 12:16:32 UTC 2020
Maybe its..
authconfig --enablewinbindkrb5 --update
Requirements to achieve this:
- A valid /etc/krb5.conf
- A valid system keytab /etc/krb5.keytab
- A valid /etc/samba/smb.conf -> will be modified by authconfig
( found on internet worked in centos7 )
But better read..
https://sssd.io/docs/users/pam_krb5_migration.html
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: vrijdag 2 oktober 2020 14:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Kerberos ticket lifetime
>
> On 02/10/2020 13:01, Jason Keltz via samba wrote:
> > On 10/2/2020 5:25 AM, Rowland penny via samba wrote:
> >
> >> On 01/10/2020 21:46, Rowland penny via samba wrote:
> >>> On 01/10/2020 21:23, Jason Keltz via samba wrote:
> >>>>
> >>>>
> >>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug.
> >>>>
> >>>> Let's wait and see what happens with your ticket after 10 hours.
> >>>> Maybe there's a bug there as well.
> >>> It will be in the middle of the night here, so I will
> report back in
> >>> the morning, but if it is a bug (not refreshing, that
> is), then it
> >>> is an RHEL one, it works on Debian.
> >>
> >> OK, I still have a valid kerberos ticket, it just doesn't seem to
> >> have been refreshed when I expected :-\
> >>
> >> Old ticket:
> >>
> >> Ticket cache: FILE:/tmp/krb5cc_10000
> >> Default principal: rowland at SAMDOM.EXAMPLE.COM
> >>
> >> Valid starting Expires Service principal
> >> 01/10/20 15:34:44 02/10/20 01:34:44
> >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> >> renew until 08/10/20 15:34:44
> >> 01/10/20 15:34:44 02/10/20 01:34:44 CEN8$@SAMDOM.EXAMPLE.COM
> >> renew until 08/10/20 15:34:44
> >>
> >> New ticket:
> >>
> >> Ticket cache: FILE:/tmp/krb5cc_10000
> >> Default principal: rowland at SAMDOM.EXAMPLE.COM
> >>
> >> Valid starting Expires Service principal
> >> 02/10/20 06:41:20 02/10/20 16:41:20
> >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> >> renew until 08/10/20 15:41:17
> >
> > In your case, did you ssh to "centos8", or you just logged
> into it via
> > a GUI? When I login via the GUI, winbind renews the key.
> When I ssh,
> > it does not. On your destination system, the ticket cache is still
> > /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>.
> >
> > In my case, even after I copied the /tmp/krb5cc_UID_<random
> bits> back
> > to /tmp/krb5cc_UID, winbind also did not renew the key. sigh.
> >
> > Jason.
> >
> >
> I logged in via 'ssh' and until I added pam_krb5, I didn't
> get a ticket.
> I think your problem is the lack of pam_krb5
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list