[Samba] Kerberos ticket lifetime

Rowland penny rpenny at samba.org
Wed Sep 30 15:15:26 UTC 2020

On 30/09/2020 15:51, Jason Keltz via samba wrote:
> Hi.
> I have a question about Kerberos ticket lifetime in AD with Samba.
> I'm running on CentOS 7 with Samba 4.11.  If I change 
> "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client 
> /etc.krb5.conf, it doesn't seem to make a difference. When I log out 
> and back in to the client  (that is using pam_winbind), I still get a 
> 10 hour ticket time.  I found this page:
> https://wiki.samba.org/index.php/Samba_KDC_Settings
> and tried setting "kdc:user ticket lifetime = 24" on the DC even 
> though this doesn't even appear in smb.conf man page but didn't seem 
> to have any effect either.  Would someone please clarify?
> Also, it's not clear whether it is even necessary for me to adjust the 
> ticket_lifetime or whether winbind will  renew the ticket until the 
> expiry time automatically (and hence the ticket lifetime isn't such a 
> big deal).   Note that in the man page for pam_winbind.conf, krb5_auth 
> option says: "When this parameter is used in conjunction with winbind 
> refresh tickets, winbind will keep your Ticket Granting Ticket (TGT) 
> uptodate by  refreshing it whenever necessary. Defaults to "no".  
> However, there's no option "winbind refresh tickets" in the man page.  
> There's not an entry for it in examples/pam_winbind/pam_winbind.conf 
> in the source either, but I think it's actually doing that.
It is documented in 'map smb.conf'.

Just add 'winbind refresh tickets = yes' to smb.conf, this should ensure 
your kerberos tickets are kept up to date.


More information about the samba mailing list