[Samba] Kerberos ticket lifetime
rpenny at samba.org
Fri Oct 2 13:04:35 UTC 2020
On 02/10/2020 13:43, Jason Keltz via samba wrote:
> On 10/2/2020 8:30 AM, Rowland penny via samba wrote:
>> On 02/10/2020 13:24, Jason Keltz via samba wrote:
>>> Hi Louis,
>>> I had already done that at one point.
>>> My pam_winbind is already working. I can SSH to the system, and I
>>> get a proper ticket. My only issue is that it doesn't refresh the
>>> ticket before expiry when I ssh to a system. I think I can script
>>> around that and just not rely on winbind to do it.
>> Why do you (seemingly) not want to install pam_krb5 ? you do not need
>> a script with it.
> SSH is already capable of forwarding Kerberos tickets. It does
> exactly that on my system. I SSH from one system in the domain where
> I have a Kerberos ticket to another system where I do not, and I am
> not asked for a password. If I kdestroy my ticket on the original
> system, and try to SSH to the other system, the SSH asks for a
> password, then I get a new ticket. Everything works exactly the way
> it should (at least in my mind). My problem isn't that the ticket
> doesn't arrive or that I can't login. My problem is that winbind
> doesn't refresh the ticket when it's near expiry. It's not clear to me
> why installing pam_krb5 resolves that. pam_krb5 is doing what my
> system is already doing (albeit for you, winbind is refreshing as
> well). I would just like to understand the technical details, which I
> obviously do not.
OK, I can understand that, but I can make observations from my use of ssh.
If I do it your way, I get asked for a password the first time I log in
via ssh, subsequent logins do not require the password, but I do not get
a ticket in /tmp
After I installed pam_krb5, I stlll didn't get a ticket until I stopped
sshd using GASAPI, then I got the ticket (I presume PAM passed the
password down the stack).
It may be possible to do both, use GASAPI and get winbind to refresh the
tickets, but I do not know how to.
More information about the samba