[Samba] Kerberos ticket expiry and share disconnect

Peter Milesson miles at atmos.eu
Tue Jun 10 06:22:26 UTC 2025 


On 09.06.2025 22:29, Rowland Penny via samba wrote:
> On Fri, 6 Jun 2025 11:48:50 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> Hi folks,
>>
>> When starting to work on a Linux domain member PC early in the
>> morning, and continuing for more than 10 hours, mounted shares
>> disconnect 10 hours after logging first logging in. It seems the
>> kerberos expiry time of 10 hours is responsible for this behavior.
>> It's really quite frustrating that documents just disappear in front
>> of your eyes when this happens. Those problems have been reported
>> numerous times in this list through the years.
>>
>> Setting the default domain policies on the Samba AD DC with Microsoft
>> ADUC (Default domain policy\Computer configuration\Policies\Windows
>> settings\Security\Account policies\Kerberos policies) do not seem to
>> have the slightest effect. The default expiry times remain both in
>> Linux member servers, and in Windows clients.
>>
>> I have tried to dig through the documentation, unfortunately with any
>> positive results.
>>
>> Do the Samba AD DC respect the set values at all? If not, how and
>> where do I set the the kerberos ticket policies for the Samba domain?
>> Do I use samba-tool, and in that case what is the command for setting
>> the kerberos ticket expiry time? Do I set it in /etc/krb5.conf? Or in
>> smb.conf? And do I set it in all Linux domain members? And what about
>> Windows clients?
>>
>> There is a Wiki page
>> (https://wiki.samba.org/index.php/Samba_KDC_Settings), but there are
>> no details into which file those settings go.
> What, other than, from that wiki page:
>
> Samba 4's KDC ticket life can be controlled using the parameters in
> smb.conf
>
>> If somebody could share their knowledge about this, I would be
>> grateful. The Wiki should also be updated, as it's sorely lacking in
>> information value.
> The problem is, my shares do not disconnect after 10 hours, but other
> than adding 'winbind refresh tickets = yes' to smb.conf, I do not
> set/alter anything else.
>
> How are you mounting the share ?
>
> Rowland
>
Hi Rowland,

I changed the kerberos ticket expiry times in the default domain GPO 
with ADUC, and it seems to have worked, but a couple of days later or 
so. I set the expiry times to 24 hours, and that now seems to work. 
Running gpupdate /force in Windows did not affect the expiry times on 
the tickets that were issued. Later, I updated the OS on all Linux 
boxes, including the AD DC, and rebooted everything. That was probably 
what made the changes take effect. But IMHO, the changes should be 
effective, at least within a couple of hours. A reboot should not be 
required.

I was probably a bit impatient. Sorry for the noise.

Best regards,

Peter

More information about the samba mailing list