[Samba] Kerberos ticket expiry and share disconnect

Rowland Penny rpenny at samba.org
Mon Jun 9 20:29:04 UTC 2025 

On Fri, 6 Jun 2025 11:48:50 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:

> Hi folks,
> 
> When starting to work on a Linux domain member PC early in the
> morning, and continuing for more than 10 hours, mounted shares
> disconnect 10 hours after logging first logging in. It seems the
> kerberos expiry time of 10 hours is responsible for this behavior.
> It's really quite frustrating that documents just disappear in front
> of your eyes when this happens. Those problems have been reported
> numerous times in this list through the years.
> 
> Setting the default domain policies on the Samba AD DC with Microsoft 
> ADUC (Default domain policy\Computer configuration\Policies\Windows 
> settings\Security\Account policies\Kerberos policies) do not seem to 
> have the slightest effect. The default expiry times remain both in
> Linux member servers, and in Windows clients.
> 
> I have tried to dig through the documentation, unfortunately with any 
> positive results.
> 
> Do the Samba AD DC respect the set values at all? If not, how and
> where do I set the the kerberos ticket policies for the Samba domain?
> Do I use samba-tool, and in that case what is the command for setting
> the kerberos ticket expiry time? Do I set it in /etc/krb5.conf? Or in 
> smb.conf? And do I set it in all Linux domain members? And what about 
> Windows clients?
> 
> There is a Wiki page 
> (https://wiki.samba.org/index.php/Samba_KDC_Settings), but there are
> no details into which file those settings go.

What, other than, from that wiki page:

Samba 4's KDC ticket life can be controlled using the parameters in
smb.conf 

> 
> If somebody could share their knowledge about this, I would be
> grateful. The Wiki should also be updated, as it's sorely lacking in
> information value.

The problem is, my shares do not disconnect after 10 hours, but other
than adding 'winbind refresh tickets = yes' to smb.conf, I do not
set/alter anything else.

How are you mounting the share ?

Rowland

More information about the samba mailing list