[Samba] Kerberos ticket lifetime

Remy Zandwijk remy+samba at luckyhands.nl
Wed Sep 30 16:38:03 UTC 2020 

Hi Jason,

> On 30 Sep 2020, at 17:38, Jason Keltz via samba <samba at lists.samba.org> wrote:
> 
> 
> On 9/30/2020 11:15 AM, Rowland penny via samba wrote:
>> On 30/09/2020 15:51, Jason Keltz via samba wrote:
>>> Hi.
>>> 
>>> I have a question about Kerberos ticket lifetime in AD with Samba.
>>> 
>>> I'm running on CentOS 7 with Samba 4.11.  If I change "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client /etc.krb5.conf, it doesn't seem to make a difference. When I log out and back in to the client  (that is using pam_winbind), I still get a 10 hour ticket time.  I found this page:
>>> 
>>> https://wiki.samba.org/index.php/Samba_KDC_Settings
>>> 
>>> and tried setting "kdc:user ticket lifetime = 24" on the DC even though this doesn't even appear in smb.conf man page but didn't seem to have any effect either.  Would someone please clarify?
>>> 
>>> Also, it's not clear whether it is even necessary for me to adjust the ticket_lifetime or whether winbind will  renew the ticket until the expiry time automatically (and hence the ticket lifetime isn't such a big deal).   Note that in the man page for pam_winbind.conf, krb5_auth option says: "When this parameter is used in conjunction with winbind refresh tickets, winbind will keep your Ticket Granting Ticket (TGT) uptodate by  refreshing it whenever necessary. Defaults to "no".  However, there's no option "winbind refresh tickets" in the man page.  There's not an entry for it in examples/pam_winbind/pam_winbind.conf in the source either, but I think it's actually doing that.
>>> 
>> It is documented in 'map smb.conf'.
>> 
>> Just add 'winbind refresh tickets = yes' to smb.conf, this should ensure your kerberos tickets are kept up to date. 
> 
> Thanks, Roland.
> 
> I remembered seeing that setting but couldn't remember where I saw it.  The man page for pam_winbind.conf should refer to "winbind refresh tickets" in smb.conf.  Any idea how to change the other ticket values though? I want to do testing on what happens to NFS4 mounts after expiry without waiting for 7 days. :)

On the client, add:

gensec_gssapi:requested_life_time = <int> # seconds

to smb4.conf. E.g. a ticket life time of one hour:

gensec_gssapi:requested_life_time = 3600



-Remy

More information about the samba mailing list