[Samba] Kerberos ticket lifetime

L.P.H. van Belle belle at bazuin.nl
Fri Oct 2 13:07:34 UTC 2020

Ah, and it that server allowed to "forward/exchange" that ticket? 

Try this on both servers and test again. 

GSSAPIAuthentication yes
GSSAPICleanupCredentials no
GSSAPIStrictAcceptorCheck no
GSSAPIKeyExchange yes 

Which you need exaclty, i dont now, but i think you need to look in this area.. 

Think in this : 
Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
Which are allowed for the server(s)? 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Jason Keltz via samba
> Verzonden: vrijdag 2 oktober 2020 14:43
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Kerberos ticket lifetime
> On 10/2/2020 8:30 AM, Rowland penny via samba wrote:
> > On 02/10/2020 13:24, Jason Keltz via samba wrote:
> >> Hi Louis,
> >>
> >> I had already done that at one point.
> >>
> >> My pam_winbind is already working.  I can SSH to the system, and I 
> >> get a proper ticket.  My only issue is that it doesn't refresh the 
> >> ticket before expiry when I ssh to a system.  I think I can script 
> >> around that and just not rely on winbind to do it.
> >
> > Why do you (seemingly) not want to install pam_krb5 ? you 
> do not need 
> > a script with it.
> SSH is already capable of forwarding Kerberos tickets.  It 
> does exactly 
> that on my system.   I SSH from one system in the domain 
> where I have a 
> Kerberos ticket to another system where I do not, and I am 
> not asked for 
> a password.  If I kdestroy my ticket on the original system, 
> and try to 
> SSH to the other system, the SSH asks for a password, then I 
> get a new 
> ticket.  Everything works exactly the way it should (at least in my 
> mind).   My problem isn't that the ticket doesn't arrive or 
> that I can't 
> login.  My problem is that winbind doesn't refresh the ticket 
> when it's 
> near expiry. It's not clear to me why installing pam_krb5 
> resolves that. 
> pam_krb5 is doing what my system is already doing (albeit for you, 
> winbind is refreshing as well). I would just like to understand the 
> technical details, which I obviously do not.
> Jason.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list