[Samba] Kerberos ticket lifetime

Jason Keltz jas at eecs.yorku.ca
Fri Oct 2 12:43:07 UTC 2020

On 10/2/2020 8:30 AM, Rowland penny via samba wrote:

> On 02/10/2020 13:24, Jason Keltz via samba wrote:
>> Hi Louis,
>> I had already done that at one point.
>> My pam_winbind is already working.  I can SSH to the system, and I 
>> get a proper ticket.  My only issue is that it doesn't refresh the 
>> ticket before expiry when I ssh to a system.  I think I can script 
>> around that and just not rely on winbind to do it.
> Why do you (seemingly) not want to install pam_krb5 ? you do not need 
> a script with it.

SSH is already capable of forwarding Kerberos tickets.  It does exactly 
that on my system.   I SSH from one system in the domain where I have a 
Kerberos ticket to another system where I do not, and I am not asked for 
a password.  If I kdestroy my ticket on the original system, and try to 
SSH to the other system, the SSH asks for a password, then I get a new 
ticket.  Everything works exactly the way it should (at least in my 
mind).   My problem isn't that the ticket doesn't arrive or that I can't 
login.  My problem is that winbind doesn't refresh the ticket when it's 
near expiry. It's not clear to me why installing pam_krb5 resolves that. 
pam_krb5 is doing what my system is already doing (albeit for you, 
winbind is refreshing as well). I would just like to understand the 
technical details, which I obviously do not.


More information about the samba mailing list