[Samba] Kerberos ticket lifetime

Rowland penny rpenny at samba.org
Fri Oct 2 13:04:35 UTC 2020

On 02/10/2020 13:43, Jason Keltz via samba wrote:
> On 10/2/2020 8:30 AM, Rowland penny via samba wrote:
>> On 02/10/2020 13:24, Jason Keltz via samba wrote:
>>> Hi Louis,
>>> I had already done that at one point.
>>> My pam_winbind is already working.  I can SSH to the system, and I 
>>> get a proper ticket.  My only issue is that it doesn't refresh the 
>>> ticket before expiry when I ssh to a system.  I think I can script 
>>> around that and just not rely on winbind to do it.
>> Why do you (seemingly) not want to install pam_krb5 ? you do not need 
>> a script with it.
> SSH is already capable of forwarding Kerberos tickets.  It does 
> exactly that on my system.   I SSH from one system in the domain where 
> I have a Kerberos ticket to another system where I do not, and I am 
> not asked for a password.  If I kdestroy my ticket on the original 
> system, and try to SSH to the other system, the SSH asks for a 
> password, then I get a new ticket.  Everything works exactly the way 
> it should (at least in my mind).   My problem isn't that the ticket 
> doesn't arrive or that I can't login.  My problem is that winbind 
> doesn't refresh the ticket when it's near expiry. It's not clear to me 
> why installing pam_krb5 resolves that. pam_krb5 is doing what my 
> system is already doing (albeit for you, winbind is refreshing as 
> well). I would just like to understand the technical details, which I 
> obviously do not.
> Jason.
OK, I can understand that, but I can make observations from my use of ssh.

If I do it your way, I get asked for a password the first time I log in 
via ssh, subsequent logins do not require the password, but I do not get 
a ticket in /tmp

After I installed pam_krb5, I stlll didn't get a ticket until I stopped 
sshd using GASAPI, then I got the ticket (I presume PAM passed the 
password down the stack).

It may be possible to do both, use GASAPI and get winbind to refresh the 
tickets, but I do not know how to.


More information about the samba mailing list