[Samba] Winbind messes up Kerberos tickets when renewing them

Edwin Mackenzie-Owen edwin.mowen at gmail.com
Tue Dec 21 20:18:42 UTC 2021


Hi,

Winbind often messes up my Kerberos ticket when renewing it.
This is the valid ticket:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1234567
Default principal: exampleuser (at) SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
12/20/21 21:40:12  12/21/21 07:40:12 
krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM
        renew until 12/21/21 21:40:07

Winbind then creates a ticket with a weird principal that I can't use
for SSO (sorry, I have only saved it in German):

$ klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234567
Standard-Principal: exampleuser\ (at) SAMDOM (at) SAMDOM.EXAMPLE.COM

Valid starting       Expires              Service principal
17.12.2021 20:05:24  18.12.2021 06:05:24  
krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM
        für Client exampleuser (at) SAMDOM.EXAMPLE.COM, erneuern bis
24.12.2021 15:05:24

My krb5.conf (auth_to_local is for SSH SSO):

[libdefaults]
        default_realm = SAMDOM.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
        default_ccache_name = FILE:/tmp/krb5cc_%{uid}
        forwardable = true
[realms]
        SAMDOM.EXAMPLE.COM = {
                auth_to_local = RULE:[1:SAMDOM\$1]
                auth_to_local = DEFAULT
        }
[domain_realm]
        .samdom.example.com = SAMDOM.EXAMPLE.COM


smb.conf:

[global]
apply group policies = yes
client use kerberos = required
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
netbios name = DHYANA
realm = SAMDOM.EXAMPLE.COM
security = ADS
server role = member server
template homedir = /home/%D/%U
template shell = /usr/bin/zsh
usershare allow guests = Yes
usershare max shares = 100
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
winbind enum groups = yes
winbind enum users = yes
winbind expand groups = 20
winbind nss info = rfc2307
winbind offline logon = yes
winbind refresh tickets = yes
workgroup = SAMDOM
idmap config * : backend = autorid
idmap config * : range = 1000000-1999999
map acl inherit = yes
store dos attributes = yes
vfs objects = acl_xattr
winbind use default domain = no

Distribution and Samba version (both workstation and DC): Arch Linux /
Arch Linux / Arch Linux ARM; Samba 4.15.3.

Best regards,
Edwin Mackenzie-Owen






More information about the samba mailing list