[Samba] Kerberos ticket lifetime

Jason Keltz jas at eecs.yorku.ca
Fri Oct 2 13:20:06 UTC 2020

Hi Louis,

I have those options already..

I'll have to look into the debug options for winbind to see what it's up 
to when it comes to the renewal.

Rowland: I'll have to experiment some more and see...


On 10/2/2020 9:07 AM, L.P.H. van Belle via samba wrote:

> Ah, and it that server allowed to "forward/exchange" that ticket?
> Try this on both servers and test again.
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials no
> GSSAPIStrictAcceptorCheck no
> GSSAPIKeyExchange yes
> Which you need exaclty, i dont now, but i think you need to look in this area..
> Think in this :
> Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable
> Which are allowed for the server(s)?
> Greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Jason Keltz via samba
>> Verzonden: vrijdag 2 oktober 2020 14:43
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Kerberos ticket lifetime
>> On 10/2/2020 8:30 AM, Rowland penny via samba wrote:
>>> On 02/10/2020 13:24, Jason Keltz via samba wrote:
>>>> Hi Louis,
>>>> I had already done that at one point.
>>>> My pam_winbind is already working.  I can SSH to the system, and I
>>>> get a proper ticket.  My only issue is that it doesn't refresh the
>>>> ticket before expiry when I ssh to a system.  I think I can script
>>>> around that and just not rely on winbind to do it.
>>> Why do you (seemingly) not want to install pam_krb5 ? you
>> do not need
>>> a script with it.
>> SSH is already capable of forwarding Kerberos tickets.  It
>> does exactly
>> that on my system.   I SSH from one system in the domain
>> where I have a
>> Kerberos ticket to another system where I do not, and I am
>> not asked for
>> a password.  If I kdestroy my ticket on the original system,
>> and try to
>> SSH to the other system, the SSH asks for a password, then I
>> get a new
>> ticket.  Everything works exactly the way it should (at least in my
>> mind).   My problem isn't that the ticket doesn't arrive or
>> that I can't
>> login.  My problem is that winbind doesn't refresh the ticket
>> when it's
>> near expiry. It's not clear to me why installing pam_krb5
>> resolves that.
>> pam_krb5 is doing what my system is already doing (albeit for you,
>> winbind is refreshing as well). I would just like to understand the
>> technical details, which I obviously do not.
>> Jason.
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list