[Samba] Kerberos ticket lifetime
jas at eecs.yorku.ca
Wed Sep 30 23:23:05 UTC 2020
On 9/30/2020 4:11 PM, Remy Zandwijk via samba wrote:
>> On 30 Sep 2020, at 21:42, Jason Keltz via samba <samba at lists.samba.org> wrote:
>> On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote:
>>>>>> On the client, add:
>>>>>> gensec_gssapi:requested_life_time = <int> # seconds
>>>>>> to smb4.conf. E.g. a ticket life time of one hour:
>>>>>> kdc:user ticket lifetime = 24 = 3600
>>>>> Sorry, I should have written 'Samba member server' instead of 'client', although technically speaking, the member server is an AD client.
>>>> I'm a bit puzzled. I tried this on the AD client, restarted Samba, logged out and in, and it didn't make any difference. I did the same thing from the DC.
>>>> I also don't see gensec_gssapi mentioned at all in the smb.conf man page at least for the version that we are running...
>>> How do you know it is not working? If you set the log level to 7, watch the log.wb-* files for lines like:
>>> Current tickets expire in 2187 seconds (at 1577548806, time is now 1577546619)
>>> How do you determine what the ticket life time is?
>>> P.S. refer to https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/ <https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/>, that is where I got the setting from.
>> Hi Remy,
>> I just did a "klist" to see how much time was remaining on the ticket. What I was expecting was that rather than showing 10 hour expiry, the expiry would have been 1 hour.
> I still don't understand what you are doing. Preceding the 'klist', are you doing a 'kinit'? If so, how?
> Now I am a bit puzzled... So you have a Samba AD on which you tried to set the user ticket lifetime to 24 hours using 'kdc:user ticket lifetime = 24'. And you have a machine which is client to the Samba AD. Although the lifetime setting is 24 hours, the client shows a ticket lifetime of 10 hours. Correct?
> What does the 'klist' output look like? I would like to see what kind of tickets you get, since if these are service tickets, then you might try 'kdc:service ticket lifetime = 24'.
> The 'gensec_gssapi:requested_life_time' setting is for the Winbind kerberos ticket. I was assuming you where talking about a Samba member server, which also acts as a NFSv4 server, but I think I misunderstood. Sorry.
On the domain controller (samba-ad-dc), I have in the config: kdc:user
ticket lifetime = 24
When I login to the client (which is using pam_winbind module), I have
10 hour ticket life.
From klist output on the client:
Valid starting Expires Service principal
09/30/2020 19:13:38 10/01/2020 05:13:37
krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA
renew until 10/07/2020 19:13:38
The client is mounting from an NFS server that is also part of the domain.
I do notice that if I modify ticket_lifetime via /etc/krb5.conf on the
client, it only takes effect if I use kinit, and that isn't really
After I understood that winbind should renew the ticket for me, I wanted
to test that, so the intention was to change kdc:user ticket lifetime =
1 and see what happens in an hour on client - would the ticket be
renewed, and I would continue to have access to the NFS share, or would
I be receiving an error and require kinit. Even these "kdc:" options
are not part of smb man page. I don't really understand why. I guess
everyone keeps the defaults?
the settings through /etc/krb5.conf
I wanted to reduce this number to 1 hour to ensure that winbind
More information about the samba