[Samba] Kerberos settings

Rowland Penny rpenny at samba.org
Mon Feb 27 16:20:05 UTC 2023

On 27/02/2023 15:20, Vaughan, Robert J via samba wrote:
> Hello listers
> In our environment there have been some changes in AD to what I think might be default Kerberos settings for tickets
> ticket_lifetime has been shortened from 24 hrs (default?) to 10 hrs
> renew_lifetime has been set at 7d from a default of no limit?

Can you describe your environment a little better ? I ask because, as 
far as I am aware, your changes have always been the defaults.

> If this makes sense, just wondering if Samba needs to be aware of this (smb.conf: include system krb5 conf = yes)?, which is the default but I had been using "no" for this .. and then adjust those lines in /etc/krb5.conf?

I do not understand why you have been doing that, it is only supposed to 
affect Samba DC's built with MIT

> We see a situation where users appear to lose their drive mapping after some period of time where it was working fine, and it made me wonder if it could be related to Kerberos ticket expiration

Do you have 'winbind refresh tickets = yes' set in smb.conf ?


More information about the samba mailing list