[Samba] Ticket expires after 10h

Andreas Hauffe andreas.hauffe at tu-dresden.de
Tue Mar 1 10:00:19 UTC 2022 

Hi,

this sounds like a bug 
(https://bugzilla.suse.com/show_bug.cgi?id=1196224), we are facing, too. 
There is a bug fix in the samba master already 
(https://gitlab.com/samba-team/samba/-/merge_requests/2405).

But as far, as I got it, this bug is only relevant for samba 4.15, due 
to the change of the default setting to "winbind use krb5 enterprise 
principals = yes". Since you are using 4.13, this shouldn't affect you.

Regards,
Andreas

Am 01.03.22 um 01:19 schrieb Kees van Vloten via samba:
> Hi team,
>
> On my Linux desktop the krb5 ticket of my user expires after 10h. 
> klist just returns nothing:
>
> $ klist
> klist: No credentials cache found (filename: /tmp/krb5cc_10004)
>
> After kinit + password klist does show the expected output:
>
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_10004
> Default principal: test1 at EXAMPLE.COM
>
> Valid starting     Expires            Service principal
> 03/01/22 00:55:34  03/01/22 10:55:28 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>
> On the desktop I run Bullseye with stock Samba (4.13.13) and winbind 
> for nss and pam, the DCs are running on 4.15.5 from Louis' repo.
>
> /etc/samba/smb.conf:
>
> [global]
>         interfaces = lo
>         bind interfaces only = yes
>         netbios name = DESKTOP1
>         security = ADS
>         realm = EXAMPLE.COM
>         workgroup = EXAMPLE
>         idmap config example:backend = ad
>         idmap config example:schema_mode = rfc2307
>         idmap config example:unix_primary_group = yes
>         idmap config example:unix_nss_info = yes
>         idmap config example:range = 1001-100000
>         idmap config *:backend = tdb
>         idmap config *:range = 1000000-1999999
>         winbind nss info = rfc2307
>         winbind cache time = 300
>         winbind enum groups = no
>         winbind enum users = no
>         winbind expand groups = 10
>         winbind normalize names = no
>         winbind offline logon = yes
>         lock directory = /var/cache/samba
>         winbind refresh tickets = yes
>         winbind scan trusted domains = no
>         winbind use default domain = yes
>         kerberos method = secrets and keytab
>         kerberos encryption types = strong
>         rpc server dynamic port range = 50000-55000
>         ntlm auth = mschapv2-and-ntlmv2-only
>         disable netbios = yes
>         template homedir = /home/%U
>         template shell = /bin/bash
>         tls enabled = yes
>         tls priority = 
> NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
>         tls cafile = /etc/ssl/certs/ca.pem
>         min domain uid = 1001
>         dedicated keytab file = /etc/krb5.keytab
>
> /etc/security/pam_winbind.conf
>
> [global]
> warn_pwd_expire = 30
> cached_login = yes
> krb5_auth = yes
> require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118
>
> I was under the impression that winbind would renew the ticket with 
> the above settings.
>
> Why is my ticket not renewed automatically?
>
> - Kees

More information about the samba mailing list