[Samba] Kerberos ticket lifetime
Rowland penny
rpenny at samba.org
Wed Sep 30 15:15:26 UTC 2020
On 30/09/2020 15:51, Jason Keltz via samba wrote:
> Hi.
>
> I have a question about Kerberos ticket lifetime in AD with Samba.
>
> I'm running on CentOS 7 with Samba 4.11. If I change
> "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client
> /etc.krb5.conf, it doesn't seem to make a difference. When I log out
> and back in to the client (that is using pam_winbind), I still get a
> 10 hour ticket time. I found this page:
>
> https://wiki.samba.org/index.php/Samba_KDC_Settings
>
> and tried setting "kdc:user ticket lifetime = 24" on the DC even
> though this doesn't even appear in smb.conf man page but didn't seem
> to have any effect either. Would someone please clarify?
>
> Also, it's not clear whether it is even necessary for me to adjust the
> ticket_lifetime or whether winbind will renew the ticket until the
> expiry time automatically (and hence the ticket lifetime isn't such a
> big deal). Note that in the man page for pam_winbind.conf, krb5_auth
> option says: "When this parameter is used in conjunction with winbind
> refresh tickets, winbind will keep your Ticket Granting Ticket (TGT)
> uptodate by refreshing it whenever necessary. Defaults to "no".
> However, there's no option "winbind refresh tickets" in the man page.
> There's not an entry for it in examples/pam_winbind/pam_winbind.conf
> in the source either, but I think it's actually doing that.
>
It is documented in 'map smb.conf'.
Just add 'winbind refresh tickets = yes' to smb.conf, this should ensure
your kerberos tickets are kept up to date.
Rowland
More information about the samba
mailing list