[Samba] Kerberos ticket lifetime
jas at eecs.yorku.ca
Wed Sep 30 19:42:42 UTC 2020
On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote:
>>>> On the client, add:
>>>> gensec_gssapi:requested_life_time = <int> # seconds
>>>> to smb4.conf. E.g. a ticket life time of one hour:
>>>> gensec_gssapi:requested_life_time = 3600
>>> Sorry, I should have written 'Samba member server' instead of 'client', although technically speaking, the member server is an AD client.
>> I'm a bit puzzled. I tried this on the AD client, restarted Samba, logged out and in, and it didn't make any difference. I did the same thing from the DC.
>> I also don't see gensec_gssapi mentioned at all in the smb.conf man page at least for the version that we are running...
> How do you know it is not working? If you set the log level to 7, watch the log.wb-* files for lines like:
> Current tickets expire in 2187 seconds (at 1577548806, time is now 1577546619)
> How do you determine what the ticket life time is?
> P.S. refer to https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/ <https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/>, that is where I got the setting from.
I just did a "klist" to see how much time was remaining on the ticket.
What I was expecting was that rather than showing 10 hour expiry, the
expiry would have been 1 hour.
More information about the samba