[Samba] Kerberos settings

Vaughan, Robert J vaughar2 at gdls.com
Mon Feb 27 16:33:34 UTC 2023 

On 27/02/2023 15:20, Vaughan, Robert J via samba wrote:
> Hello listers
> 
> In our environment there have been some changes in AD to what I think might be default Kerberos settings for tickets
> 
> ticket_lifetime has been shortened from 24 hrs (default?) to 10 hrs
> 
> renew_lifetime has been set at 7d from a default of no limit?

>> Can you describe your environment a little better ? I ask because, as 
>> far as I am aware, your changes have always been the defaults.

Hi Rowland, sorry I apparently was wrong on those numbers being changed (after talking again with my Wintel/AD admin), and you are correct they are the defaults
I wonder why in my default /etc/krb5.conf (Red Hat 7 domain member file server) those settings are 24h and 7d and is that a problem?   


> 
> If this makes sense, just wondering if Samba needs to be aware of this (smb.conf: include system krb5 conf = yes)?, which is the default but I had been using "no" for this .. and then adjust those lines in /etc/krb5.conf?

>> I do not understand why you have been doing that, it is only supposed to 
>> affect Samba DC's built with MIT

You are saying I should be using the default "yes" correct?
 
If so, should the /etc/krb5.conf be updated to the 10h?

I think I chose "no" a long time ago because Samba was the only thing using Kerberos at the time, although now I am using ssh logins against AD via winbind too

Do smbd and winbind both need a restart for that change?

 
> We see a situation where users appear to lose their drive mapping after some period of time where it was working fine, and it made me wonder if it could be related to Kerberos ticket expiration

>> Do you have 'winbind refresh tickets = yes' set in smb.conf ?

I do 




----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information.  No one else may read, print, store, copy, forward or act in reliance on it or its attachments.  If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.

More information about the samba mailing list