[Samba] Kerberos ticket lifetime

Remy Zandwijk remy+samba at luckyhands.nl
Wed Sep 30 20:11:01 UTC 2020 

> On 30 Sep 2020, at 21:42, Jason Keltz via samba <samba at lists.samba.org> wrote:
> 
> 
> On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote:
>>>>> On the client, add:
>>>>> 
>>>>> gensec_gssapi:requested_life_time = <int> # seconds
>>>>> 
>>>>> to smb4.conf. E.g. a ticket life time of one hour:
>>>>> 
>>>>> kdc:user ticket lifetime = 24 = 3600
>>>> Sorry, I should have written 'Samba member server' instead of 'client', although technically speaking, the member server is an AD client.
>>>> 
>>> I'm a bit puzzled.  I tried this on the AD client,  restarted Samba, logged out and in, and it didn't make any difference.  I did the same thing from the DC.
>>> 
>>> I also don't see gensec_gssapi mentioned at all in the smb.conf man page at least for the version that we are running...
>> 
>> How do you know it is not working? If you set the log level to 7, watch the log.wb-* files for lines like:
>> 
>> Current tickets expire in 2187 seconds (at 1577548806, time is now 1577546619)
>> 
>> How do you determine what the ticket life time is?
>> 
>> 
>> -Remy
>> 
>> 
>> P.S. refer to https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/ <https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/>, that is where I got the setting from.
>> 
>> 
> Hi Remy,
> 
> I just did a "klist" to see how much time was remaining on the ticket.  What I was expecting was that rather than showing 10 hour expiry, the expiry would have been 1 hour.

I still don't understand what you are doing. Preceding the 'klist', are you doing a 'kinit'? If so, how?


Now I am a bit puzzled...  So you have a Samba AD on which you tried to set the user ticket lifetime to 24 hours using 'kdc:user ticket lifetime = 24'. And you have a machine which is client to the Samba AD. Although the lifetime setting is 24 hours, the client shows a ticket lifetime of 10 hours. Correct?

What does the 'klist' output look like? I would like to see what kind of tickets you get, since if these are service tickets, then you might try 'kdc:service ticket lifetime = 24'.


The 'gensec_gssapi:requested_life_time' setting is for the Winbind kerberos ticket. I was assuming you where talking about a Samba member server, which also acts as a NFSv4 server, but I think I misunderstood. Sorry.


-Remy

More information about the samba mailing list