[Samba] Kerberos ticket lifetime

Jason Keltz jas at eecs.yorku.ca
Wed Sep 30 14:51:44 UTC 2020


I have a question about Kerberos ticket lifetime in AD with Samba.

I'm running on CentOS 7 with Samba 4.11.  If I change 
"ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client 
/etc.krb5.conf, it doesn't seem to make a difference. When I log out and 
back in to the client  (that is using pam_winbind), I still get a 10 
hour ticket time.  I found this page:


and tried setting "kdc:user ticket lifetime = 24" on the DC even though 
this doesn't even appear in smb.conf man page but didn't seem to have 
any effect either.  Would someone please clarify?

Also, it's not clear whether it is even necessary for me to adjust the 
ticket_lifetime or whether winbind will  renew the ticket until the 
expiry time automatically (and hence the ticket lifetime isn't such a 
big deal).   Note that in the man page for pam_winbind.conf, krb5_auth 
option says: "When this parameter is used in conjunction with winbind 
refresh tickets, winbind will keep your Ticket Granting Ticket (TGT) 
uptodate by  refreshing it whenever necessary. Defaults to "no".  
However, there's no option "winbind refresh tickets" in the man page.  
There's not an entry for it in examples/pam_winbind/pam_winbind.conf in 
the source either, but I think it's actually doing that.



More information about the samba mailing list