[Samba] Ticket expires after 10h

Kees van Vloten keesvanvloten at gmail.com
Wed Mar 2 14:19:39 UTC 2022 

On 02-03-2022 15:10, Rowland Penny via samba wrote:
> On Wed, 2022-03-02 at 14:50 +0100, Kees van Vloten via samba wrote:
>> On 01-03-2022 11:33, Rowland Penny via samba wrote:
>>> On Tue, 2022-03-01 at 01:19 +0100, Kees van Vloten via samba wrote:
>>>> Hi team,
>>>>
>>>> On my Linux desktop the krb5 ticket of my user expires after 10h.
>>>> klist
>>>> just returns nothing:
>>>>
>>>> $ klist
>>>> klist: No credentials cache found (filename: /tmp/krb5cc_10004)
>>>>
>>>> After kinit + password klist does show the expected output:
>>>>
>>>> $ klist
>>>> Ticket cache: FILE:/tmp/krb5cc_10004
>>>> Default principal: test1 at EXAMPLE.COM
>>>>
>>>> Valid starting Expires Service principal
>>>> 03/01/22 00:55:34 03/01/22 10:55:28
>>>> krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>
>>>> On the desktop I run Bullseye with stock Samba (4.13.13) and
>>>> winbind
>>>> for
>>>> nss and pam, the DCs are running on 4.15.5 from Louis' repo.
>>>>
>>>> /etc/samba/smb.conf:
>>>>
>>>> [global]
>>>> interfaces = lo
>>>> bind interfaces only = yes
>>>> netbios name = DESKTOP1
>>>> security = ADS
>>>> realm = EXAMPLE.COM
>>>> workgroup = EXAMPLE
>>>> idmap config example:backend = ad
>>>> idmap config example:schema_mode = rfc2307
>>>> idmap config example:unix_primary_group = yes
>>>> idmap config example:unix_nss_info = yes
>>>> idmap config example:range = 1001-100000
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 1000000-1999999
>>>> winbind nss info = rfc2307
>>>> winbind cache time = 300
>>>> winbind enum groups = no
>>>> winbind enum users = no
>>>> winbind expand groups = 10
>>>> winbind normalize names = no
>>>> winbind offline logon = yes
>>>> lock directory = /var/cache/samba
>>>> winbind refresh tickets = yes
>>>> winbind scan trusted domains = no
>>>> winbind use default domain = yes
>>>> kerberos method = secrets and keytab
>>>> kerberos encryption types = strong
>>>> rpc server dynamic port range = 50000-55000
>>>> ntlm auth = mschapv2-and-ntlmv2-only
>>>> disable netbios = yes
>>>> template homedir = /home/%U
>>>> template shell = /bin/bash
>>>> tls enabled = yes
>>>> tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-
>>>> TLS1.3
>>>> tls cafile = /etc/ssl/certs/ca.pem
>>>> min domain uid = 1001
>>> I think I understand what is going wrong here, winbind is renewing
>>> my
>>> tickets (on 4.15.5), but I also have these two lines:
>>>
>>> username map = /etc/samba/user.map
>>> min domain uid = 0
>>>
>>> The user.map contains:
>>>
>>> !root = SAMDOM\Administrator
>>>
>>> I think that you have turned off root's ability to change the
>>> ticket.
>>>
>>> Rowland
>>>
>>>
>>>
>> I have added that setting after some reading the release notes of
>> 4.15.3
>> (CVE-2020-25717). Does it mean the advice in the CVE has this averse
>> effect?
>> Does this doc needs an updte to prevent other users running into the
>> same issue?
>>
>>
>> I left my desktop powered-on last night. I can confirm everything
>> still
>> works, i.e. @Rowland your suggestion fixed it :-)
>>
>> There is an interesting difference between the klist before the
>> renew
>> and after though:
>>
>> klist before ticket renew:
>> $ klist
>> Ticket cache: FILE:/tmp/krb5cc_10004
>> Default principal: test1 at EXAMPLE.COM
>>
>> Valid starting     Expires            Service principal
>> 03/01/22 22:04:43  03/02/22 08:04:43 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>           renew until 03/08/22 22:04:43
>> 03/01/22 22:04:43  03/02/22 08:04:43  BACH$@EXAMPLE.COM
>> 03/01/22 22:50:34  03/02/22 08:04:43
>> host/vivaldi.EXAMPLE.COM at EXAMPLE.COM
>>           renew until 03/08/22 22:04:43
>> 03/01/22 23:47:12  03/02/22 08:04:43
>> imap/strauss.EXAMPLE.COM at EXAMPLE.COM
>>           renew until 03/08/22 22:04:43
>>
>> And after the winbind initiated renew:
>> $ klist
>> Ticket cache: FILE:/tmp/krb5cc_10004
>> Default principal: test1 at EXAMPLE.COM
>>
>> Valid starting     Expires            Service principal
>> 03/02/22 12:09:52  03/02/22 22:09:52 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>           renew until 03/08/22 22:04:43
>>
>> All principals except one are gone and no principals are added on
>> use
>> (such as the imap one when I access Thunderbird), but I can still
>> read
>> mail and do everything.
>>
>> Is everything working as expected or am I still missing some config?
>> Is there an explanation for the difference in klist output?
>>
>> - Kees
> I wouldn't worry about it, you will probably find that the principals
> get added as you use them.
>
> Rowland

That is exactly what I don't see happening... I have run klist numerous 
times since this morning but the list never showed more that one entry 
since after the first renew this morning at 07:09.
Nevertheless everything continues to work fine, so in that sense 
probably no need to worry :-)

The other thing that worries me is the documentation of CVE-2020-25717 
(part of release notes of 4.15.3) that lead me into this trouble. Should 
it not get updated to prevent other people running into the same issue?

- Kees

More information about the samba mailing list