[Samba] Kerberos ticket lifetime

Jason Keltz jas at eecs.yorku.ca
Wed Sep 30 15:38:10 UTC 2020 

On 9/30/2020 11:15 AM, Rowland penny via samba wrote:
> On 30/09/2020 15:51, Jason Keltz via samba wrote:
>> Hi.
>>
>> I have a question about Kerberos ticket lifetime in AD with Samba.
>>
>> I'm running on CentOS 7 with Samba 4.11.  If I change 
>> "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client 
>> /etc.krb5.conf, it doesn't seem to make a difference. When I log out 
>> and back in to the client  (that is using pam_winbind), I still get a 
>> 10 hour ticket time.  I found this page:
>>
>> https://wiki.samba.org/index.php/Samba_KDC_Settings
>>
>> and tried setting "kdc:user ticket lifetime = 24" on the DC even 
>> though this doesn't even appear in smb.conf man page but didn't seem 
>> to have any effect either.  Would someone please clarify?
>>
>> Also, it's not clear whether it is even necessary for me to adjust 
>> the ticket_lifetime or whether winbind will  renew the ticket until 
>> the expiry time automatically (and hence the ticket lifetime isn't 
>> such a big deal).   Note that in the man page for pam_winbind.conf, 
>> krb5_auth option says: "When this parameter is used in conjunction 
>> with winbind refresh tickets, winbind will keep your Ticket Granting 
>> Ticket (TGT) uptodate by  refreshing it whenever necessary. Defaults 
>> to "no".  However, there's no option "winbind refresh tickets" in the 
>> man page.  There's not an entry for it in 
>> examples/pam_winbind/pam_winbind.conf in the source either, but I 
>> think it's actually doing that.
>>
> It is documented in 'map smb.conf'.
>
> Just add 'winbind refresh tickets = yes' to smb.conf, this should 
> ensure your kerberos tickets are kept up to date. 

Thanks, Roland.

I remembered seeing that setting but couldn't remember where I saw it.  
The man page for pam_winbind.conf should refer to "winbind refresh 
tickets" in smb.conf.  Any idea how to change the other ticket values 
though? I want to do testing on what happens to NFS4 mounts after expiry 
without waiting for 7 days. :)

Jason.

More information about the samba mailing list