[Samba] winbind & kerberos question

Andreas Hauffe andreas.hauffe at tu-dresden.de
Mon Jul 11 06:58:07 UTC 2022 

Hi,

yes, it seems this was a bug and a fix is on the way.

https://bugzilla.suse.com/show_bug.cgi?id=1196224

Regards,
Andreas


Am 05.07.22 um 19:40 schrieb Stefan Kania via samba:
> I think it's not a configuration error it must have someting to do with
> winbind it self. I would say that winbind is trying to get a new ticket
> from the domain where the maschine is member of. The parameter Rowland
> was posting:
> 'winbind scan trusted domains = yes'
> should fix this problem (it did in 4.12 and 4.13) that was the last time
> I've configured a trust with more then two domains. I would open a
> bug-report.
>
>
> Am 27.06.22 um 12:45 schrieb Andreas Hauffe via samba:
>> Dear list,
>>
>> I'm having trouble with refreshing kerberos tickets with winbind. Our
>> clients are openSUSE Leap 15.4 clients with a separately build samba
>> 4.16.2 and they are domain members of an AD domain named
>> ilrw.ing.dom.tu-dresden.de. This domain is a subdomain (two-way,
>> transitive trusts) of ing.dom.tu-dresden.de, which again is a subdomain
>> of dom.tu-dresden.de. User accounts are administered centrally in the
>> root domain dom.tu-dresden.de. If I logon to a client with a useraccount
>> I'm getting a tgt and service tickets and everything works fine, as seen
>> in the klist output:
>>
>> Ticketzwischenspeicher:FILE:/tmp/krb5cc_103321
>> Standard-Principal:account at DOM.TU-DRESDEN.DE
>>
>> Valid starting       Expires              Service principal
>> 23.06.2022 17:34:16  24.06.2022 03:34:16
>> krbtgt/DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE
>>          erneuern bis 30.06.2022 17:34:16
>> 23.06.2022 17:34:16  24.06.2022
>> 03:34:16LFTWORKLI06$@ILRW.ING.DOM.TU-DRESDEN.DE
>>          erneuern bis 30.06.2022 17:34:16
>>
>> But after a while or over night the ticket cache is deleted by winbind.
>> The logs say that winbind was trying to refresh the ticket. But winbind
>> tries to refresh krbtgt/ILRW.ING.DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE
>> which is not in the cache since
>> krbtgt/DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE is cached. This results in
>> destroying the ticket cache. My question is, if this is a configuration
>> error and what I have to change to avoid destroying the ticket cache?
>>
>> [2022/06/23 16:24:06.069415, 10, pid=11448, effective(0, 0), real(0, 0),
>> class=winbind]
>> ../../source3/winbindd/winbindd_cred_cache.c:123(krb5_ticket_refresh_handler)
>>
>>    krb5_ticket_refresh_handler: event called for:FILE:/tmp/krb5cc_103321,
>> DOM+account
>> [2022/06/23 16:24:06.069772, 10, pid=11448, effective(103321, 0),
>> real(103321, 0), class=kerberos]
>> ../../lib/krb5_wrap/krb5_samba.c:3867(smb_krb5_trace_cb)
>>    smb_krb5_trace_cb: [11448] 1655994246.069600:
>> Retrievingaccount at DOM.TU-DRESDEN.DE  ->
>> krbtgt/ILRW.ING.DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE
>> fromFILE:/tmp/krb5cc_103321  with result: -1765328243/Matching
>> credential not found (filename: /tmp/krb5cc_103321)
>> [2022/06/23 16:24:06.069819,  3, pid=11448, effective(0, 0), real(0, 0),
>> class=winbind]
>> ../../source3/winbindd/winbindd_cred_cache.c:227(krb5_ticket_refresh_handler)
>>
>>    krb5_ticket_refresh_handler: could not renew tickets: Matching
>> credential not found
>> [2022/06/23 16:24:06.069908, 10, pid=11448, effective(0, 0), real(0, 0),
>> class=kerberos] ../../lib/krb5_wrap/krb5_samba.c:3867(smb_krb5_trace_cb)
>>    smb_krb5_trace_cb: [11448] 1655994246.069602: Destroying
>> ccacheFILE:/tmp/krb5cc_103321
>>
>> smb.conf
>>
>> [global]
>>         bind interfaces only = Yes
>>         dedicated keytab file = /etc/krb5.keytab
>>         interfaces = lo eth0
>>         kerberos method = secrets and keytab
>>         realm = ILRW.ING.DOM.TU-DRESDEN.DE
>>         security = ADS
>>         template homedir = /home/home_ilrw/%U
>>         template shell = /bin/bash
>> winbind refresh tickets = yes
>>         winbind separator = +
>>         workgroup = ILRW
>>         idmap config dom : range = 10000-9999999 # UID aus RID fuer DOM
>>         idmap config dom : backend = rid
>>         idmap config ilrw : range = 3000-9999 # UID aus RID fuer ILRW
>>         idmap config ilrw : backend = rid
>>         idmap config * : range = 2000-2999
>>         idmap config * : backend = tdb
>>
>> krb5.conf
>>
>> [libdefaults]
>>         default_realm = ILRW.ING.DOM.TU-DRESDEN.DE
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>         ticket_lifetime = 24h
>>         renew_lifetime = 7d
>>         forwardable = true
>>
>> [realms]
>>    ILRW.ING.DOM.TU-DRESDEN.DE = {
>>         auth_to_local =
>> RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at .*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/
>>
>>         auth_to_local =
>> RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/
>>         auth_to_local = DEFAULT
>>    }
>>
>> Regards,
>>
>>
>
>

More information about the samba mailing list