[Samba] Ticket expires after 10h
Andreas Hauffe
andreas.hauffe at tu-dresden.de
Tue Mar 1 10:00:19 UTC 2022
Hi,
this sounds like a bug
(https://bugzilla.suse.com/show_bug.cgi?id=1196224), we are facing, too.
There is a bug fix in the samba master already
(https://gitlab.com/samba-team/samba/-/merge_requests/2405).
But as far, as I got it, this bug is only relevant for samba 4.15, due
to the change of the default setting to "winbind use krb5 enterprise
principals = yes". Since you are using 4.13, this shouldn't affect you.
Regards,
Andreas
Am 01.03.22 um 01:19 schrieb Kees van Vloten via samba:
> Hi team,
>
> On my Linux desktop the krb5 ticket of my user expires after 10h.
> klist just returns nothing:
>
> $ klist
> klist: No credentials cache found (filename: /tmp/krb5cc_10004)
>
> After kinit + password klist does show the expected output:
>
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_10004
> Default principal: test1 at EXAMPLE.COM
>
> Valid starting Expires Service principal
> 03/01/22 00:55:34 03/01/22 10:55:28 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>
> On the desktop I run Bullseye with stock Samba (4.13.13) and winbind
> for nss and pam, the DCs are running on 4.15.5 from Louis' repo.
>
> /etc/samba/smb.conf:
>
> [global]
> interfaces = lo
> bind interfaces only = yes
> netbios name = DESKTOP1
> security = ADS
> realm = EXAMPLE.COM
> workgroup = EXAMPLE
> idmap config example:backend = ad
> idmap config example:schema_mode = rfc2307
> idmap config example:unix_primary_group = yes
> idmap config example:unix_nss_info = yes
> idmap config example:range = 1001-100000
> idmap config *:backend = tdb
> idmap config *:range = 1000000-1999999
> winbind nss info = rfc2307
> winbind cache time = 300
> winbind enum groups = no
> winbind enum users = no
> winbind expand groups = 10
> winbind normalize names = no
> winbind offline logon = yes
> lock directory = /var/cache/samba
> winbind refresh tickets = yes
> winbind scan trusted domains = no
> winbind use default domain = yes
> kerberos method = secrets and keytab
> kerberos encryption types = strong
> rpc server dynamic port range = 50000-55000
> ntlm auth = mschapv2-and-ntlmv2-only
> disable netbios = yes
> template homedir = /home/%U
> template shell = /bin/bash
> tls enabled = yes
> tls priority =
> NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
> tls cafile = /etc/ssl/certs/ca.pem
> min domain uid = 1001
> dedicated keytab file = /etc/krb5.keytab
>
> /etc/security/pam_winbind.conf
>
> [global]
> warn_pwd_expire = 30
> cached_login = yes
> krb5_auth = yes
> require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118
>
> I was under the impression that winbind would renew the ticket with
> the above settings.
>
> Why is my ticket not renewed automatically?
>
> - Kees
More information about the samba
mailing list