[Samba] winbind & kerberos question
Andreas Hauffe
andreas.hauffe at tu-dresden.de
Mon Jun 27 10:45:39 UTC 2022
Dear list,
I'm having trouble with refreshing kerberos tickets with winbind. Our
clients are openSUSE Leap 15.4 clients with a separately build samba
4.16.2 and they are domain members of an AD domain named
ilrw.ing.dom.tu-dresden.de. This domain is a subdomain (two-way,
transitive trusts) of ing.dom.tu-dresden.de, which again is a subdomain
of dom.tu-dresden.de. User accounts are administered centrally in the
root domain dom.tu-dresden.de. If I logon to a client with a useraccount
I'm getting a tgt and service tickets and everything works fine, as seen
in the klist output:
Ticketzwischenspeicher:FILE:/tmp/krb5cc_103321
Standard-Principal:account at DOM.TU-DRESDEN.DE
Valid starting Expires Service principal
23.06.2022 17:34:16 24.06.2022 03:34:16 krbtgt/DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE
erneuern bis 30.06.2022 17:34:16
23.06.2022 17:34:16 24.06.2022 03:34:16LFTWORKLI06$@ILRW.ING.DOM.TU-DRESDEN.DE
erneuern bis 30.06.2022 17:34:16
But after a while or over night the ticket cache is deleted by winbind.
The logs say that winbind was trying to refresh the ticket. But winbind
tries to refresh krbtgt/ILRW.ING.DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE
which is not in the cache since
krbtgt/DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE is cached. This results in
destroying the ticket cache. My question is, if this is a configuration
error and what I have to change to avoid destroying the ticket cache?
[2022/06/23 16:24:06.069415, 10, pid=11448, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cred_cache.c:123(krb5_ticket_refresh_handler)
krb5_ticket_refresh_handler: event called for:FILE:/tmp/krb5cc_103321, DOM+account
[2022/06/23 16:24:06.069772, 10, pid=11448, effective(103321, 0), real(103321, 0), class=kerberos] ../../lib/krb5_wrap/krb5_samba.c:3867(smb_krb5_trace_cb)
smb_krb5_trace_cb: [11448] 1655994246.069600: Retrievingaccount at DOM.TU-DRESDEN.DE -> krbtgt/ILRW.ING.DOM.TU-DRESDEN.DE at DOM.TU-DRESDEN.DE fromFILE:/tmp/krb5cc_103321 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_103321)
[2022/06/23 16:24:06.069819, 3, pid=11448, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/winbindd_cred_cache.c:227(krb5_ticket_refresh_handler)
krb5_ticket_refresh_handler: could not renew tickets: Matching credential not found
[2022/06/23 16:24:06.069908, 10, pid=11448, effective(0, 0), real(0, 0), class=kerberos] ../../lib/krb5_wrap/krb5_samba.c:3867(smb_krb5_trace_cb)
smb_krb5_trace_cb: [11448] 1655994246.069602: Destroying ccacheFILE:/tmp/krb5cc_103321
smb.conf
[global]
bind interfaces only = Yes
dedicated keytab file = /etc/krb5.keytab
interfaces = lo eth0
kerberos method = secrets and keytab
realm = ILRW.ING.DOM.TU-DRESDEN.DE
security = ADS
template homedir = /home/home_ilrw/%U
template shell = /bin/bash
winbind refresh tickets = yes
winbind separator = +
workgroup = ILRW
idmap config dom : range = 10000-9999999 # UID aus RID fuer DOM
idmap config dom : backend = rid
idmap config ilrw : range = 3000-9999 # UID aus RID fuer ILRW
idmap config ilrw : backend = rid
idmap config * : range = 2000-2999
idmap config * : backend = tdb
krb5.conf
[libdefaults]
default_realm = ILRW.ING.DOM.TU-DRESDEN.DE
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
ILRW.ING.DOM.TU-DRESDEN.DE = {
auth_to_local =
RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at .*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/
auth_to_local =
RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/
auth_to_local = DEFAULT
}
Regards,
--
Andreas Hauffe**
More information about the samba
mailing list