[Samba] Winbind messes up Kerberos tickets when renewing them
Edwin Mackenzie-Owen
edwin.mowen at gmail.com
Tue Dec 21 20:18:42 UTC 2021
Hi,
Winbind often messes up my Kerberos ticket when renewing it.
This is the valid ticket:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1234567
Default principal: exampleuser (at) SAMDOM.EXAMPLE.COM
Valid starting Expires Service principal
12/20/21 21:40:12 12/21/21 07:40:12
krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM
renew until 12/21/21 21:40:07
Winbind then creates a ticket with a weird principal that I can't use
for SSO (sorry, I have only saved it in German):
$ klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234567
Standard-Principal: exampleuser\ (at) SAMDOM (at) SAMDOM.EXAMPLE.COM
Valid starting Expires Service principal
17.12.2021 20:05:24 18.12.2021 06:05:24
krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM
für Client exampleuser (at) SAMDOM.EXAMPLE.COM, erneuern bis
24.12.2021 15:05:24
My krb5.conf (auth_to_local is for SSH SSO):
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
forwardable = true
[realms]
SAMDOM.EXAMPLE.COM = {
auth_to_local = RULE:[1:SAMDOM\$1]
auth_to_local = DEFAULT
}
[domain_realm]
.samdom.example.com = SAMDOM.EXAMPLE.COM
smb.conf:
[global]
apply group policies = yes
client use kerberos = required
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
netbios name = DHYANA
realm = SAMDOM.EXAMPLE.COM
security = ADS
server role = member server
template homedir = /home/%D/%U
template shell = /usr/bin/zsh
usershare allow guests = Yes
usershare max shares = 100
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
winbind enum groups = yes
winbind enum users = yes
winbind expand groups = 20
winbind nss info = rfc2307
winbind offline logon = yes
winbind refresh tickets = yes
workgroup = SAMDOM
idmap config * : backend = autorid
idmap config * : range = 1000000-1999999
map acl inherit = yes
store dos attributes = yes
vfs objects = acl_xattr
winbind use default domain = no
Distribution and Samba version (both workstation and DC): Arch Linux /
Arch Linux / Arch Linux ARM; Samba 4.15.3.
Best regards,
Edwin Mackenzie-Owen
More information about the samba
mailing list