> I hope that you're doing well...I am, thanks. I still need to answer your private email, but I didn't find time yet.>>> On the client, add: >>> >>> gensec_gssapi:requested_life_time = <int> # seconds >>> >>> to smb4.conf. E.g. a ticket life time of one hour: >>> >>> gensec_gssapi:requested_life_time = 3600 >> >> Sorry, I should have written 'Samba member server' instead of 'client', although technically speaking, the member server is an AD client. >> > I'm a bit puzzled. I tried this on the AD client, restarted Samba, logged out and in, and it didn't make any difference. I did the same thing from the DC. > > I also don't see gensec_gssapi mentioned at all in the smb.conf man page at least for the version that we are running...How do you know it is not working? If you set the log level to 7, watch the log.wb-* files for lines like: Current tickets expire in 2187 seconds (at 1577548806, time is now 1577546619) How do you determine what the ticket life time is? -Remy P.S. refer to https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/ <https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/>, that is where I got the setting from.
On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote:>>>> On the client, add: >>>> >>>> gensec_gssapi:requested_life_time = <int> # seconds >>>> >>>> to smb4.conf. E.g. a ticket life time of one hour: >>>> >>>> gensec_gssapi:requested_life_time = 3600 >>> Sorry, I should have written 'Samba member server' instead of 'client', although technically speaking, the member server is an AD client. >>> >> I'm a bit puzzled. I tried this on the AD client, restarted Samba, logged out and in, and it didn't make any difference. I did the same thing from the DC. >> >> I also don't see gensec_gssapi mentioned at all in the smb.conf man page at least for the version that we are running... > > How do you know it is not working? If you set the log level to 7, watch the log.wb-* files for lines like: > > Current tickets expire in 2187 seconds (at 1577548806, time is now 1577546619) > > How do you determine what the ticket life time is? > > > -Remy > > > P.S. refer to https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/ <https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/>, that is where I got the setting from. > >Hi Remy, I just did a "klist" to see how much time was remaining on the ticket.? What I was expecting was that rather than showing 10 hour expiry, the expiry would have been 1 hour. Jason.
> On 30 Sep 2020, at 21:42, Jason Keltz via samba <samba at lists.samba.org> wrote: > > > On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote: >>>>> On the client, add: >>>>> >>>>> gensec_gssapi:requested_life_time = <int> # seconds >>>>> >>>>> to smb4.conf. E.g. a ticket life time of one hour: >>>>> >>>>> kdc:user ticket lifetime = 24 = 3600 >>>> Sorry, I should have written 'Samba member server' instead of 'client', although technically speaking, the member server is an AD client. >>>> >>> I'm a bit puzzled. I tried this on the AD client, restarted Samba, logged out and in, and it didn't make any difference. I did the same thing from the DC. >>> >>> I also don't see gensec_gssapi mentioned at all in the smb.conf man page at least for the version that we are running... >> >> How do you know it is not working? If you set the log level to 7, watch the log.wb-* files for lines like: >> >> Current tickets expire in 2187 seconds (at 1577548806, time is now 1577546619) >> >> How do you determine what the ticket life time is? >> >> >> -Remy >> >> >> P.S. refer to https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/ <https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/>, that is where I got the setting from. >> >> > Hi Remy, > > I just did a "klist" to see how much time was remaining on the ticket. What I was expecting was that rather than showing 10 hour expiry, the expiry would have been 1 hour.I still don't understand what you are doing. Preceding the 'klist', are you doing a 'kinit'? If so, how? Now I am a bit puzzled... So you have a Samba AD on which you tried to set the user ticket lifetime to 24 hours using 'kdc:user ticket lifetime = 24'. And you have a machine which is client to the Samba AD. Although the lifetime setting is 24 hours, the client shows a ticket lifetime of 10 hours. Correct? What does the 'klist' output look like? I would like to see what kind of tickets you get, since if these are service tickets, then you might try 'kdc:service ticket lifetime = 24'. The 'gensec_gssapi:requested_life_time' setting is for the Winbind kerberos ticket. I was assuming you where talking about a Samba member server, which also acts as a NFSv4 server, but I think I misunderstood. Sorry. -Remy