[Samba] Kerberos settings

Rowland Penny rpenny at samba.org
Mon Feb 27 16:58:45 UTC 2023 


On 27/02/2023 16:33, Vaughan, Robert J via samba wrote:
> On 27/02/2023 15:20, Vaughan, Robert J via samba wrote:
>> Hello listers
>>
>> In our environment there have been some changes in AD to what I think might be default Kerberos settings for tickets
>>
>> ticket_lifetime has been shortened from 24 hrs (default?) to 10 hrs
>>
>> renew_lifetime has been set at 7d from a default of no limit?
> 
>>> Can you describe your environment a little better ? I ask because, as
>>> far as I am aware, your changes have always been the defaults.
> 
> Hi Rowland, sorry I apparently was wrong on those numbers being changed (after talking again with my Wintel/AD admin), and you are correct they are the defaults
> I wonder why in my default /etc/krb5.conf (Red Hat 7 domain member file server) those settings are 24h and 7d and is that a problem?

I have no idea why they were set that way, I wasn't there :-D
As to being a problem, probably not.

> 
> 
>>
>> If this makes sense, just wondering if Samba needs to be aware of this (smb.conf: include system krb5 conf = yes)?, which is the default but I had been using "no" for this .. and then adjust those lines in /etc/krb5.conf?
> 
>>> I do not understand why you have been doing that, it is only supposed to
>>> affect Samba DC's built with MIT
> 
> You are saying I should be using the default "yes" correct?

I am saying that I have never set that option and if you read the 
smb.conf manpage it states this:

Setting this parameter to no will prevent winbind to include the system 
/etc/krb5.conf file into the krb5.conf file it creates. See also create 
krb5 conf. This option only applies to Samba built with MIT Kerberos.

By my reading, winbind will ignore /etc/krb5.conf, but will only be 
effective if Samba is built using MIT (which may be the case on RHEL7).

>   
> If so, should the /etc/krb5.conf be updated to the 10h?

Possibly/probably, as I said, I do not have this problem, but I do not 
use the red-hat distros.

> 
> I think I chose "no" a long time ago because Samba was the only thing using Kerberos at the time, although now I am using ssh logins against AD via winbind too

I do that as well, just using kerberos, no passwords, no tickets.

> 
> Do smbd and winbind both need a restart for that change?

You could probably just reload the config with smbcontrol.

> 
>   
>> We see a situation where users appear to lose their drive mapping after some period of time where it was working fine, and it made me wonder if it could be related to Kerberos ticket expiration
> 
>>> Do you have 'winbind refresh tickets = yes' set in smb.conf ?
> 
> I do

As I said, I do not have this problem, but I do not mess with the krb5.conf

Rowland

More information about the samba mailing list