[Samba] Kerberos ticket lifetime
jas at eecs.yorku.ca
Wed Sep 30 14:51:44 UTC 2020
I have a question about Kerberos ticket lifetime in AD with Samba.
I'm running on CentOS 7 with Samba 4.11. If I change
"ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client
/etc.krb5.conf, it doesn't seem to make a difference. When I log out and
back in to the client (that is using pam_winbind), I still get a 10
hour ticket time. I found this page:
and tried setting "kdc:user ticket lifetime = 24" on the DC even though
this doesn't even appear in smb.conf man page but didn't seem to have
any effect either. Would someone please clarify?
Also, it's not clear whether it is even necessary for me to adjust the
ticket_lifetime or whether winbind will renew the ticket until the
expiry time automatically (and hence the ticket lifetime isn't such a
big deal). Note that in the man page for pam_winbind.conf, krb5_auth
option says: "When this parameter is used in conjunction with winbind
refresh tickets, winbind will keep your Ticket Granting Ticket (TGT)
uptodate by refreshing it whenever necessary. Defaults to "no".
However, there's no option "winbind refresh tickets" in the man page.
There's not an entry for it in examples/pam_winbind/pam_winbind.conf in
the source either, but I think it's actually doing that.
More information about the samba