[Samba] Kerberos ticket lifetime
remy+samba at luckyhands.nl
Wed Sep 30 20:11:01 UTC 2020
> On 30 Sep 2020, at 21:42, Jason Keltz via samba <samba at lists.samba.org> wrote:
> On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote:
>>>>> On the client, add:
>>>>> gensec_gssapi:requested_life_time = <int> # seconds
>>>>> to smb4.conf. E.g. a ticket life time of one hour:
>>>>> kdc:user ticket lifetime = 24 = 3600
>>>> Sorry, I should have written 'Samba member server' instead of 'client', although technically speaking, the member server is an AD client.
>>> I'm a bit puzzled. I tried this on the AD client, restarted Samba, logged out and in, and it didn't make any difference. I did the same thing from the DC.
>>> I also don't see gensec_gssapi mentioned at all in the smb.conf man page at least for the version that we are running...
>> How do you know it is not working? If you set the log level to 7, watch the log.wb-* files for lines like:
>> Current tickets expire in 2187 seconds (at 1577548806, time is now 1577546619)
>> How do you determine what the ticket life time is?
>> P.S. refer to https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/ <https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/>, that is where I got the setting from.
> Hi Remy,
> I just did a "klist" to see how much time was remaining on the ticket. What I was expecting was that rather than showing 10 hour expiry, the expiry would have been 1 hour.
I still don't understand what you are doing. Preceding the 'klist', are you doing a 'kinit'? If so, how?
Now I am a bit puzzled... So you have a Samba AD on which you tried to set the user ticket lifetime to 24 hours using 'kdc:user ticket lifetime = 24'. And you have a machine which is client to the Samba AD. Although the lifetime setting is 24 hours, the client shows a ticket lifetime of 10 hours. Correct?
What does the 'klist' output look like? I would like to see what kind of tickets you get, since if these are service tickets, then you might try 'kdc:service ticket lifetime = 24'.
The 'gensec_gssapi:requested_life_time' setting is for the Winbind kerberos ticket. I was assuming you where talking about a Samba member server, which also acts as a NFSv4 server, but I think I misunderstood. Sorry.
More information about the samba