[Samba] Kerberos ticket lifetime

Remy Zandwijk remy+samba at luckyhands.nl
Wed Sep 30 19:01:25 UTC 2020

> I hope that you're doing well...

I am, thanks. I still need to answer your private email, but I didn't find time yet.

>>> On the client, add:
>>> gensec_gssapi:requested_life_time = <int> # seconds
>>> to smb4.conf. E.g. a ticket life time of one hour:
>>> gensec_gssapi:requested_life_time = 3600
>> Sorry, I should have written 'Samba member server' instead of 'client', although technically speaking, the member server is an AD client.
> I'm a bit puzzled.  I tried this on the AD client,  restarted Samba, logged out and in, and it didn't make any difference.  I did the same thing from the DC.
> I also don't see gensec_gssapi mentioned at all in the smb.conf man page at least for the version that we are running...

How do you know it is not working? If you set the log level to 7, watch the log.wb-* files for lines like:

Current tickets expire in 2187 seconds (at 1577548806, time is now 1577546619)

How do you determine what the ticket life time is?


P.S. refer to https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/ <https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/>, that is where I got the setting from.

More information about the samba mailing list