[Samba] Winbind messes up Kerberos tickets when renewing them
Rowland Penny
rpenny at samba.org
Tue Dec 21 21:01:44 UTC 2021
On Tue, 2021-12-21 at 21:18 +0100, Edwin Mackenzie-Owen via samba
wrote:
> Hi,
>
> Winbind often messes up my Kerberos ticket when renewing it.
> This is the valid ticket:
>
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_1234567
> Default principal: exampleuser (at) SAMDOM.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 12/20/21 21:40:12 12/21/21 07:40:12
> krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM
> renew until 12/21/21 21:40:07
>
> Winbind then creates a ticket with a weird principal that I can't use
> for SSO (sorry, I have only saved it in German):
>
> $ klist
> Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234567
> Standard-Principal: exampleuser\ (at) SAMDOM (at) SAMDOM.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 17.12.2021 20:05:24 18.12.2021 06:05:24
> krbtgt/SAMDOM.EXAMPLE.COM (at) SAMDOM.EXAMPLE.COM
> für Client exampleuser (at) SAMDOM.EXAMPLE.COM, erneuern bis
> 24.12.2021 15:05:24
>
> My krb5.conf (auth_to_local is for SSH SSO):
>
> [libdefaults]
> default_realm = SAMDOM.EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_ccache_name = FILE:/tmp/krb5cc_%{uid}
> forwardable = true
> [realms]
> SAMDOM.EXAMPLE.COM = {
> auth_to_local = RULE:[1:SAMDOM\$1]
> auth_to_local = DEFAULT
> }
> [domain_realm]
> .samdom.example.com = SAMDOM.EXAMPLE.COM
I do not have all that in krb5.conf (I just have the first 4 lines) and
it works for myself on Debian Buster using Samba 4.15.3
Perhaps it is a problem with the Samba from Arch ??
Rowland
More information about the samba
mailing list