[Samba] Kerberos ticket lifetime

Jason Keltz jas at eecs.yorku.ca
Wed Sep 30 23:23:05 UTC 2020

On 9/30/2020 4:11 PM, Remy Zandwijk via samba wrote:

>> On 30 Sep 2020, at 21:42, Jason Keltz via samba <samba at lists.samba.org> wrote:
>> On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote:
>>>>>> On the client, add:
>>>>>> gensec_gssapi:requested_life_time = <int> # seconds
>>>>>> to smb4.conf. E.g. a ticket life time of one hour:
>>>>>> kdc:user ticket lifetime = 24 = 3600
>>>>> Sorry, I should have written 'Samba member server' instead of 'client', although technically speaking, the member server is an AD client.
>>>> I'm a bit puzzled.  I tried this on the AD client,  restarted Samba, logged out and in, and it didn't make any difference.  I did the same thing from the DC.
>>>> I also don't see gensec_gssapi mentioned at all in the smb.conf man page at least for the version that we are running...
>>> How do you know it is not working? If you set the log level to 7, watch the log.wb-* files for lines like:
>>> Current tickets expire in 2187 seconds (at 1577548806, time is now 1577546619)
>>> How do you determine what the ticket life time is?
>>> -Remy
>>> P.S. refer to https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/ <https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/>, that is where I got the setting from.
>> Hi Remy,
>> I just did a "klist" to see how much time was remaining on the ticket.  What I was expecting was that rather than showing 10 hour expiry, the expiry would have been 1 hour.
> I still don't understand what you are doing. Preceding the 'klist', are you doing a 'kinit'? If so, how?
> Now I am a bit puzzled...  So you have a Samba AD on which you tried to set the user ticket lifetime to 24 hours using 'kdc:user ticket lifetime = 24'. And you have a machine which is client to the Samba AD. Although the lifetime setting is 24 hours, the client shows a ticket lifetime of 10 hours. Correct?
> What does the 'klist' output look like? I would like to see what kind of tickets you get, since if these are service tickets, then you might try 'kdc:service ticket lifetime = 24'.
> The 'gensec_gssapi:requested_life_time' setting is for the Winbind kerberos ticket. I was assuming you where talking about a Samba member server, which also acts as a NFSv4 server, but I think I misunderstood. Sorry.
> -Remy


On the domain controller (samba-ad-dc), I have in the config: kdc:user 
ticket lifetime = 24

When I login to the client (which is using pam_winbind module), I have 
10 hour ticket life.

 From klist output on the client:

Valid starting       Expires              Service principal
09/30/2020 19:13:38  10/01/2020 05:13:37 
     renew until 10/07/2020 19:13:38

10 hours.

The client is mounting from an NFS server that is also part of the domain.

I do notice that if I modify ticket_lifetime via /etc/krb5.conf on the 
client, it only takes effect if I use kinit, and that isn't really 
testing winbind.

After I understood that winbind should renew the ticket for me, I wanted 
to test that, so the intention was to change kdc:user ticket lifetime = 
1 and see what happens in an hour on client  - would the ticket be 
renewed, and I would continue to have access to the NFS share, or would 
I be receiving an error and require kinit.  Even these "kdc:" options 
are not part of smb man page.  I don't really understand why.  I guess 
everyone keeps the defaults?


the settings through /etc/krb5.conf

I wanted to reduce this number to 1 hour to ensure that winbind

More information about the samba mailing list