[Samba] Ticket expires after 10h
Rowland Penny
rpenny at samba.org
Tue Mar 1 10:33:23 UTC 2022
On Tue, 2022-03-01 at 01:19 +0100, Kees van Vloten via samba wrote:
> Hi team,
>
> On my Linux desktop the krb5 ticket of my user expires after 10h.
> klist
> just returns nothing:
>
> $ klist
> klist: No credentials cache found (filename: /tmp/krb5cc_10004)
>
> After kinit + password klist does show the expected output:
>
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_10004
> Default principal: test1 at EXAMPLE.COM
>
> Valid starting Expires Service principal
> 03/01/22 00:55:34 03/01/22 10:55:28 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>
> On the desktop I run Bullseye with stock Samba (4.13.13) and winbind
> for
> nss and pam, the DCs are running on 4.15.5 from Louis' repo.
>
> /etc/samba/smb.conf:
>
> [global]
> interfaces = lo
> bind interfaces only = yes
> netbios name = DESKTOP1
> security = ADS
> realm = EXAMPLE.COM
> workgroup = EXAMPLE
> idmap config example:backend = ad
> idmap config example:schema_mode = rfc2307
> idmap config example:unix_primary_group = yes
> idmap config example:unix_nss_info = yes
> idmap config example:range = 1001-100000
> idmap config *:backend = tdb
> idmap config *:range = 1000000-1999999
> winbind nss info = rfc2307
> winbind cache time = 300
> winbind enum groups = no
> winbind enum users = no
> winbind expand groups = 10
> winbind normalize names = no
> winbind offline logon = yes
> lock directory = /var/cache/samba
> winbind refresh tickets = yes
> winbind scan trusted domains = no
> winbind use default domain = yes
> kerberos method = secrets and keytab
> kerberos encryption types = strong
> rpc server dynamic port range = 50000-55000
> ntlm auth = mschapv2-and-ntlmv2-only
> disable netbios = yes
> template homedir = /home/%U
> template shell = /bin/bash
> tls enabled = yes
> tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-
> TLS1.3
> tls cafile = /etc/ssl/certs/ca.pem
> min domain uid = 1001
I think I understand what is going wrong here, winbind is renewing my
tickets (on 4.15.5), but I also have these two lines:
username map = /etc/samba/user.map
min domain uid = 0
The user.map contains:
!root = SAMDOM\Administrator
I think that you have turned off root's ability to change the ticket.
Rowland
More information about the samba
mailing list