[Samba] Kerberos ticket lifetime
L.P.H. van Belle
belle at bazuin.nl
Fri Oct 2 13:07:34 UTC 2020
Ah, and it that server allowed to "forward/exchange" that ticket?
Try this on both servers and test again.
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
GSSAPIStrictAcceptorCheck no
GSSAPIKeyExchange yes
Which you need exaclty, i dont now, but i think you need to look in this area..
Think in this :
Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
Which are allowed for the server(s)?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Jason Keltz via samba
> Verzonden: vrijdag 2 oktober 2020 14:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Kerberos ticket lifetime
>
> On 10/2/2020 8:30 AM, Rowland penny via samba wrote:
>
> > On 02/10/2020 13:24, Jason Keltz via samba wrote:
> >> Hi Louis,
> >>
> >> I had already done that at one point.
> >>
> >> My pam_winbind is already working. I can SSH to the system, and I
> >> get a proper ticket. My only issue is that it doesn't refresh the
> >> ticket before expiry when I ssh to a system. I think I can script
> >> around that and just not rely on winbind to do it.
> >
> > Why do you (seemingly) not want to install pam_krb5 ? you
> do not need
> > a script with it.
>
> SSH is already capable of forwarding Kerberos tickets. It
> does exactly
> that on my system. I SSH from one system in the domain
> where I have a
> Kerberos ticket to another system where I do not, and I am
> not asked for
> a password. If I kdestroy my ticket on the original system,
> and try to
> SSH to the other system, the SSH asks for a password, then I
> get a new
> ticket. Everything works exactly the way it should (at least in my
> mind). My problem isn't that the ticket doesn't arrive or
> that I can't
> login. My problem is that winbind doesn't refresh the ticket
> when it's
> near expiry. It's not clear to me why installing pam_krb5
> resolves that.
> pam_krb5 is doing what my system is already doing (albeit for you,
> winbind is refreshing as well). I would just like to understand the
> technical details, which I obviously do not.
>
> Jason.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list