[Samba] Kerberos ticket lifetime

Jason Keltz jas at eecs.yorku.ca
Fri Oct 2 12:24:58 UTC 2020


Hi Louis,

I had already done that at one point.

My pam_winbind is already working.  I can SSH to the system, and I get a 
proper ticket.  My only issue is that it doesn't refresh the ticket 
before expiry when I ssh to a system.  I think I can script around that 
and just not rely on winbind to do it.

Jason.

On 10/2/2020 8:16 AM, L.P.H. van Belle via samba wrote:
> Maybe its..
>
> authconfig --enablewinbindkrb5 --update
>
> Requirements to achieve this:
>
> - A valid /etc/krb5.conf
> - A valid system keytab /etc/krb5.keytab
> - A valid /etc/samba/smb.conf -> will be modified by authconfig
>
> ( found on internet worked in centos7  )
>
> But better read..
> https://sssd.io/docs/users/pam_krb5_migration.html
>
> Greetz,
>
> Louis
>
>
>   
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Rowland penny via samba
>> Verzonden: vrijdag 2 oktober 2020 14:06
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Kerberos ticket lifetime
>>
>> On 02/10/2020 13:01, Jason Keltz via samba wrote:
>>> On 10/2/2020 5:25 AM, Rowland penny via samba wrote:
>>>
>>>> On 01/10/2020 21:46, Rowland penny via samba wrote:
>>>>> On 01/10/2020 21:23, Jason Keltz via samba wrote:
>>>>>>
>>>>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug.
>>>>>>
>>>>>> Let's wait and see what happens with your ticket after 10 hours.
>>>>>> Maybe there's a bug there as well.
>>>>> It will be in the middle of the night here, so I will
>> report back in
>>>>> the morning, but if it is a bug (not refreshing, that
>> is), then it
>>>>> is an RHEL one, it works on Debian.
>>>> OK, I still have a valid kerberos ticket, it just doesn't seem to
>>>> have been refreshed when I expected :-\
>>>>
>>>> Old ticket:
>>>>
>>>> Ticket cache: FILE:/tmp/krb5cc_10000
>>>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>>>
>>>> Valid starting     Expires            Service principal
>>>> 01/10/20 15:34:44  02/10/20 01:34:44
>>>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>>>>      renew until 08/10/20 15:34:44
>>>> 01/10/20 15:34:44  02/10/20 01:34:44  CEN8$@SAMDOM.EXAMPLE.COM
>>>>      renew until 08/10/20 15:34:44
>>>>
>>>> New ticket:
>>>>
>>>> Ticket cache: FILE:/tmp/krb5cc_10000
>>>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>>>
>>>> Valid starting     Expires            Service principal
>>>> 02/10/20 06:41:20  02/10/20 16:41:20
>>>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>>>>      renew until 08/10/20 15:41:17
>>> In your case, did you ssh to "centos8", or you just logged
>> into it via
>>> a GUI?  When I login via the GUI, winbind renews the key.
>> When I ssh,
>>> it does not.  On your destination system, the ticket cache is still
>>> /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>.
>>>
>>> In my case, even after I copied the /tmp/krb5cc_UID_<random
>> bits> back
>>> to /tmp/krb5cc_UID, winbind also did not renew the key. sigh.
>>>
>>> Jason.
>>>
>>>
>> I logged in via 'ssh' and until I added pam_krb5, I didn't
>> get a ticket.
>> I think your problem is the lack of pam_krb5
>>
>> Rowland
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
-- 
Jason Keltz
Manager of Development
Department of Electrical Engineering & Computer Science
York University, Toronto, Canada
Tel: 416-736-2100 x. 33570
Fax: 416-736-5872




More information about the samba mailing list