Dirk Heinrichs
2017-Mar-08 20:27 UTC
[Samba] Problem with ticket lifetimes of Linux clients authenticating to Samba 4 AD
Hi,
I've recently migrated an LDAP/Kerberos 5 setup to a Samba 4 based
Active Directory, mainly to support a couple of Windows clients. Since
this is a small private network, I've set quite long kerberos ticket
lifetimes in smb.conf on the DC. These work fine on the Windows clients,
but are somehow completely ignored on the Linux clients, where users
always get the default ticket lifetime of 10 hours. OTOH, if I just
kinit I get the correct ticket lifetimes, as shown below (right after
login):
% klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234
Standard-Principal: someuser at EXAMPLE.COM
Valid starting Expires Service principal
08.03.2017 19:35:46 09.03.2017 05:35:44 krbtgt/EXAMPLE.COM at EXAMPLE.COM
erneuern bis 07.04.2017 20:35:44
08.03.2017 19:35:46 09.03.2017 05:35:44 SOMEHOST$@EXAMPLE.COM
08.03.2017 19:35:47 09.03.2017 05:35:44 afs/example.com at EXAMPLE.COM
erneuern bis 07.04.2017 20:35:44
% kinit
Passwort for someuser at EXAMPLE.COM:
% klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234
Standard-Principal: someuser at EXAMPLE.COM
Valid starting Expires Service principal
08.03.2017 19:36:36 07.04.2017 20:36:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM
erneuern bis 07.04.2017 20:36:30
Linux clients are setup to use winbind (incl. PAM and NSS modules). Any
idea what I can do to get the correct ticket lifetime right after login.
Thanks...
Dirk
--
Dirk Heinrichs <dirk.heinrichs at altum.de>
GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015
Sichere Internetkommunikation: http://www.retroshare.org
Privacy Handbuch: https://www.privacy-handbuch.de
Dirk Heinrichs
2017-Mar-11 10:17 UTC
[Samba] Problem with ticket lifetimes of Linux clients authenticating to Samba 4 AD
Am 08.03.2017 um 21:27 schrieb Dirk Heinrichs:> Linux clients are setup to use winbind (incl. PAM and NSS modules). > Any idea what I can do to get the correct ticket lifetime right after > login?Using sssd (with AD provider) instead of winbind solves the problem. Bye... Dirk -- Dirk Heinrichs <dirk.heinrichs at altum.de> GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015 Sichere Internetkommunikation: http://www.retroshare.org Privacy Handbuch: https://www.privacy-handbuch.de
Reasonably Related Threads
- Samba AD with internal DNS: Can't resolve aliases anymore
- Samba AD with internal DNS: Can't resolve aliases anymore
- Samba AD with internal DNS: Can't resolve aliases anymore
- AD: Using SyncThing for sysvol replication
- Second DC: "Failed DNS update - with error code 24" in the logs