[Samba] Ticket expires after 10h

Kees van Vloten keesvanvloten at gmail.com
Tue Mar 1 00:19:59 UTC 2022 

Hi team,

On my Linux desktop the krb5 ticket of my user expires after 10h. klist 
just returns nothing:

$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_10004)

After kinit + password klist does show the expected output:

$ klist
Ticket cache: FILE:/tmp/krb5cc_10004
Default principal: test1 at EXAMPLE.COM

Valid starting     Expires            Service principal
03/01/22 00:55:34  03/01/22 10:55:28 krbtgt/EXAMPLE.COM at EXAMPLE.COM

On the desktop I run Bullseye with stock Samba (4.13.13) and winbind for 
nss and pam, the DCs are running on 4.15.5 from Louis' repo.

/etc/samba/smb.conf:

[global]
         interfaces = lo
         bind interfaces only = yes
         netbios name = DESKTOP1
         security = ADS
         realm = EXAMPLE.COM
         workgroup = EXAMPLE
         idmap config example:backend = ad
         idmap config example:schema_mode = rfc2307
         idmap config example:unix_primary_group = yes
         idmap config example:unix_nss_info = yes
         idmap config example:range = 1001-100000
         idmap config *:backend = tdb
         idmap config *:range = 1000000-1999999
         winbind nss info = rfc2307
         winbind cache time = 300
         winbind enum groups = no
         winbind enum users = no
         winbind expand groups = 10
         winbind normalize names = no
         winbind offline logon = yes
         lock directory = /var/cache/samba
         winbind refresh tickets = yes
         winbind scan trusted domains = no
         winbind use default domain = yes
         kerberos method = secrets and keytab
         kerberos encryption types = strong
         rpc server dynamic port range = 50000-55000
         ntlm auth = mschapv2-and-ntlmv2-only
         disable netbios = yes
         template homedir = /home/%U
         template shell = /bin/bash
         tls enabled = yes
         tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
         tls cafile = /etc/ssl/certs/ca.pem
         min domain uid = 1001
         dedicated keytab file = /etc/krb5.keytab

/etc/security/pam_winbind.conf

[global]
warn_pwd_expire = 30
cached_login = yes
krb5_auth = yes
require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118

I was under the impression that winbind would renew the ticket with the 
above settings.

Why is my ticket not renewed automatically?

- Kees

More information about the samba mailing list