[Samba] Kerberos ticket lifetime

L.P.H. van Belle belle at bazuin.nl
Fri Oct 2 12:16:32 UTC 2020 

Maybe its.. 

authconfig --enablewinbindkrb5 --update 

Requirements to achieve this:

- A valid /etc/krb5.conf
- A valid system keytab /etc/krb5.keytab
- A valid /etc/samba/smb.conf -> will be modified by authconfig 

( found on internet worked in centos7  ) 

But better read.. 
https://sssd.io/docs/users/pam_krb5_migration.html 

Greetz, 

Louis


 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: vrijdag 2 oktober 2020 14:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Kerberos ticket lifetime
> 
> On 02/10/2020 13:01, Jason Keltz via samba wrote:
> > On 10/2/2020 5:25 AM, Rowland penny via samba wrote:
> >
> >> On 01/10/2020 21:46, Rowland penny via samba wrote:
> >>> On 01/10/2020 21:23, Jason Keltz via samba wrote:
> >>>>
> >>>>
> >>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug.
> >>>>
> >>>> Let's wait and see what happens with your ticket after 10 hours. 
> >>>> Maybe there's a bug there as well.
> >>> It will be in the middle of the night here, so I will 
> report back in 
> >>> the morning, but if it is a bug (not refreshing, that 
> is), then it 
> >>> is an RHEL one, it works on Debian.
> >>
> >> OK, I still have a valid kerberos ticket, it just doesn't seem to 
> >> have been refreshed when I expected :-\
> >>
> >> Old ticket:
> >>
> >> Ticket cache: FILE:/tmp/krb5cc_10000
> >> Default principal: rowland at SAMDOM.EXAMPLE.COM
> >>
> >> Valid starting     Expires            Service principal
> >> 01/10/20 15:34:44  02/10/20 01:34:44 
> >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> >>     renew until 08/10/20 15:34:44
> >> 01/10/20 15:34:44  02/10/20 01:34:44  CEN8$@SAMDOM.EXAMPLE.COM
> >>     renew until 08/10/20 15:34:44
> >>
> >> New ticket:
> >>
> >> Ticket cache: FILE:/tmp/krb5cc_10000
> >> Default principal: rowland at SAMDOM.EXAMPLE.COM
> >>
> >> Valid starting     Expires            Service principal
> >> 02/10/20 06:41:20  02/10/20 16:41:20 
> >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> >>     renew until 08/10/20 15:41:17 
> >
> > In your case, did you ssh to "centos8", or you just logged 
> into it via 
> > a GUI?  When I login via the GUI, winbind renews the key. 
> When I ssh, 
> > it does not.  On your destination system, the ticket cache is still 
> > /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>.
> >
> > In my case, even after I copied the /tmp/krb5cc_UID_<random 
> bits> back 
> > to /tmp/krb5cc_UID, winbind also did not renew the key. sigh.
> >
> > Jason.
> >
> >
> I logged in via 'ssh' and until I added pam_krb5, I didn't 
> get a ticket. 
> I think your problem is the lack of pam_krb5
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list