Dirk Heinrichs
2017-Mar-08 20:27 UTC
[Samba] Problem with ticket lifetimes of Linux clients authenticating to Samba 4 AD
Hi, I've recently migrated an LDAP/Kerberos 5 setup to a Samba 4 based Active Directory, mainly to support a couple of Windows clients. Since this is a small private network, I've set quite long kerberos ticket lifetimes in smb.conf on the DC. These work fine on the Windows clients, but are somehow completely ignored on the Linux clients, where users always get the default ticket lifetime of 10 hours. OTOH, if I just kinit I get the correct ticket lifetimes, as shown below (right after login): % klist Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234 Standard-Principal: someuser at EXAMPLE.COM Valid starting Expires Service principal 08.03.2017 19:35:46 09.03.2017 05:35:44 krbtgt/EXAMPLE.COM at EXAMPLE.COM erneuern bis 07.04.2017 20:35:44 08.03.2017 19:35:46 09.03.2017 05:35:44 SOMEHOST$@EXAMPLE.COM 08.03.2017 19:35:47 09.03.2017 05:35:44 afs/example.com at EXAMPLE.COM erneuern bis 07.04.2017 20:35:44 % kinit Passwort for someuser at EXAMPLE.COM: % klist Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234 Standard-Principal: someuser at EXAMPLE.COM Valid starting Expires Service principal 08.03.2017 19:36:36 07.04.2017 20:36:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM erneuern bis 07.04.2017 20:36:30 Linux clients are setup to use winbind (incl. PAM and NSS modules). Any idea what I can do to get the correct ticket lifetime right after login. Thanks... Dirk -- Dirk Heinrichs <dirk.heinrichs at altum.de> GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de
Dirk Heinrichs
2017-Mar-11 10:17 UTC
[Samba] Problem with ticket lifetimes of Linux clients authenticating to Samba 4 AD
Am 08.03.2017 um 21:27 schrieb Dirk Heinrichs:> Linux clients are setup to use winbind (incl. PAM and NSS modules). > Any idea what I can do to get the correct ticket lifetime right after > login?Using sssd (with AD provider) instead of winbind solves the problem. Bye... Dirk -- Dirk Heinrichs <dirk.heinrichs at altum.de> GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de
Possibly Parallel Threads
- Samba AD with internal DNS: Can't resolve aliases anymore
- Samba AD with internal DNS: Can't resolve aliases anymore
- Samba AD with internal DNS: Can't resolve aliases anymore
- AD: Using SyncThing for sysvol replication
- Second DC: "Failed DNS update - with error code 24" in the logs