[Samba] Kerberos ticket lifetime
Jason Keltz
jas at eecs.yorku.ca
Fri Oct 2 12:43:07 UTC 2020
On 10/2/2020 8:30 AM, Rowland penny via samba wrote:
> On 02/10/2020 13:24, Jason Keltz via samba wrote:
>> Hi Louis,
>>
>> I had already done that at one point.
>>
>> My pam_winbind is already working. I can SSH to the system, and I
>> get a proper ticket. My only issue is that it doesn't refresh the
>> ticket before expiry when I ssh to a system. I think I can script
>> around that and just not rely on winbind to do it.
>
> Why do you (seemingly) not want to install pam_krb5 ? you do not need
> a script with it.
SSH is already capable of forwarding Kerberos tickets. It does exactly
that on my system. I SSH from one system in the domain where I have a
Kerberos ticket to another system where I do not, and I am not asked for
a password. If I kdestroy my ticket on the original system, and try to
SSH to the other system, the SSH asks for a password, then I get a new
ticket. Everything works exactly the way it should (at least in my
mind). My problem isn't that the ticket doesn't arrive or that I can't
login. My problem is that winbind doesn't refresh the ticket when it's
near expiry. It's not clear to me why installing pam_krb5 resolves that.
pam_krb5 is doing what my system is already doing (albeit for you,
winbind is refreshing as well). I would just like to understand the
technical details, which I obviously do not.
Jason.
More information about the samba
mailing list