> On 30 Sep 2020, at 21:42, Jason Keltz via samba <samba at lists.samba.org> wrote: > > > On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote: >>>>> On the client, add: >>>>> >>>>> gensec_gssapi:requested_life_time = <int> # seconds >>>>> >>>>> to smb4.conf. E.g. a ticket life time of one hour: >>>>> >>>>> kdc:user ticket lifetime = 24 = 3600 >>>> Sorry, I should have written 'Samba member server' instead of 'client', although technically speaking, the member server is an AD client. >>>> >>> I'm a bit puzzled. I tried this on the AD client, restarted Samba, logged out and in, and it didn't make any difference. I did the same thing from the DC. >>> >>> I also don't see gensec_gssapi mentioned at all in the smb.conf man page at least for the version that we are running... >> >> How do you know it is not working? If you set the log level to 7, watch the log.wb-* files for lines like: >> >> Current tickets expire in 2187 seconds (at 1577548806, time is now 1577546619) >> >> How do you determine what the ticket life time is? >> >> >> -Remy >> >> >> P.S. refer to https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/ <https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/>, that is where I got the setting from. >> >> > Hi Remy, > > I just did a "klist" to see how much time was remaining on the ticket. What I was expecting was that rather than showing 10 hour expiry, the expiry would have been 1 hour.I still don't understand what you are doing. Preceding the 'klist', are you doing a 'kinit'? If so, how? Now I am a bit puzzled... So you have a Samba AD on which you tried to set the user ticket lifetime to 24 hours using 'kdc:user ticket lifetime = 24'. And you have a machine which is client to the Samba AD. Although the lifetime setting is 24 hours, the client shows a ticket lifetime of 10 hours. Correct? What does the 'klist' output look like? I would like to see what kind of tickets you get, since if these are service tickets, then you might try 'kdc:service ticket lifetime = 24'. The 'gensec_gssapi:requested_life_time' setting is for the Winbind kerberos ticket. I was assuming you where talking about a Samba member server, which also acts as a NFSv4 server, but I think I misunderstood. Sorry. -Remy
On 9/30/2020 4:11 PM, Remy Zandwijk via samba wrote:>> On 30 Sep 2020, at 21:42, Jason Keltz via samba <samba at lists.samba.org> wrote: >> >> >> On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote: >>>>>> On the client, add: >>>>>> >>>>>> gensec_gssapi:requested_life_time = <int> # seconds >>>>>> >>>>>> to smb4.conf. E.g. a ticket life time of one hour: >>>>>> >>>>>> kdc:user ticket lifetime = 24 = 3600 >>>>> Sorry, I should have written 'Samba member server' instead of 'client', although technically speaking, the member server is an AD client. >>>>> >>>> I'm a bit puzzled. I tried this on the AD client, restarted Samba, logged out and in, and it didn't make any difference. I did the same thing from the DC. >>>> >>>> I also don't see gensec_gssapi mentioned at all in the smb.conf man page at least for the version that we are running... >>> How do you know it is not working? If you set the log level to 7, watch the log.wb-* files for lines like: >>> >>> Current tickets expire in 2187 seconds (at 1577548806, time is now 1577546619) >>> >>> How do you determine what the ticket life time is? >>> >>> >>> -Remy >>> >>> >>> P.S. refer to https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/ <https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/>, that is where I got the setting from. >>> >>> >> Hi Remy, >> >> I just did a "klist" to see how much time was remaining on the ticket. What I was expecting was that rather than showing 10 hour expiry, the expiry would have been 1 hour. > I still don't understand what you are doing. Preceding the 'klist', are you doing a 'kinit'? If so, how? > > > Now I am a bit puzzled... So you have a Samba AD on which you tried to set the user ticket lifetime to 24 hours using 'kdc:user ticket lifetime = 24'. And you have a machine which is client to the Samba AD. Although the lifetime setting is 24 hours, the client shows a ticket lifetime of 10 hours. Correct? > > What does the 'klist' output look like? I would like to see what kind of tickets you get, since if these are service tickets, then you might try 'kdc:service ticket lifetime = 24'. > > > The 'gensec_gssapi:requested_life_time' setting is for the Winbind kerberos ticket. I was assuming you where talking about a Samba member server, which also acts as a NFSv4 server, but I think I misunderstood. Sorry. > > > -RemyRemy, On the domain controller (samba-ad-dc), I have in the config: kdc:user ticket lifetime = 24 When I login to the client (which is using pam_winbind module), I have 10 hour ticket life. From klist output on the client: Valid starting?????? Expires????????????? Service principal 09/30/2020 19:13:38? 10/01/2020 05:13:37 krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA ??? renew until 10/07/2020 19:13:38 10 hours. The client is mounting from an NFS server that is also part of the domain. I do notice that if I modify ticket_lifetime via /etc/krb5.conf on the client, it only takes effect if I use kinit, and that isn't really testing winbind. After I understood that winbind should renew the ticket for me, I wanted to test that, so the intention was to change kdc:user ticket lifetime = 1 and see what happens in an hour on client? - would the ticket be renewed, and I would continue to have access to the NFS share, or would I be receiving an error and require kinit.? Even these "kdc:" options are not part of smb man page.? I don't really understand why.? I guess everyone keeps the defaults? Jason. the settings through /etc/krb5.conf I wanted to reduce this number to 1 hour to ensure that winbind
On 01/10/2020 00:23, Jason Keltz via samba wrote:> > Remy, > > On the domain controller (samba-ad-dc), I have in the config: kdc:user > ticket lifetime = 24I do not recognise that smb.conf option, could this be another freebsd change that was never sent upstream or, if it was, it was rejected ?> > When I login to the client (which is using pam_winbind module), I have > 10 hour ticket life.That is the default.> > The client is mounting from an NFS server that is also part of the > domain. > > I do notice that if I modify ticket_lifetime via /etc/krb5.conf on the > client, it only takes effect if I use kinit, and that isn't really > testing winbind. > > After I understood that winbind should renew the ticket for me, I > wanted to test that, so the intention was to change kdc:user ticket > lifetime = 1 and see what happens in an hour on client? - would the > ticket be renewed, and I would continue to have access to the NFS > share, or would I be receiving an error and require kinit.? Even these > "kdc:" options are not part of smb man page.? I don't really > understand why.? I guess everyone keeps the defaults?Provided you have 'winbind refresh tickets = yes' in the smb.conf on the Unix domain member, the users tickets will be renewed when required. Rowland
On 9/30/2020 7:23 PM, Jason Keltz wrote:> On 9/30/2020 4:11 PM, Remy Zandwijk via samba wrote: > >>> On 30 Sep 2020, at 21:42, Jason Keltz via samba >>> <samba at lists.samba.org> wrote: >>> >>> >>> On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote: >>>>>>> On the client, add: >>>>>>> >>>>>>> gensec_gssapi:requested_life_time = <int> # seconds >>>>>>> >>>>>>> to smb4.conf. E.g. a ticket life time of one hour: >>>>>>> >>>>>>> kdc:user ticket lifetime = 24 = 3600 >>>>>> Sorry, I should have written 'Samba member server' instead of >>>>>> 'client', although technically speaking, the member server is an >>>>>> AD client. >>>>>> >>>>> I'm a bit puzzled.? I tried this on the AD client, restarted >>>>> Samba, logged out and in, and it didn't make any difference.? I >>>>> did the same thing from the DC. >>>>> >>>>> I also don't see gensec_gssapi mentioned at all in the smb.conf >>>>> man page at least for the version that we are running... >>>> How do you know it is not working? If you set the log level to 7, >>>> watch the log.wb-* files for lines like: >>>> >>>> Current tickets expire in 2187 seconds (at 1577548806, time is now >>>> 1577546619) >>>> >>>> How do you determine what the ticket life time is? >>>> >>>> >>>> -Remy >>>> >>>> >>>> P.S. refer to >>>> https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/ >>>> <https://forums.freebsd.org/threads/winbind-ad-dropping-every-10-hours.70752/>, >>>> that is where I got the setting from. >>>> >>>> >>> Hi Remy, >>> >>> I just did a "klist" to see how much time was remaining on the >>> ticket.? What I was expecting was that rather than showing 10 hour >>> expiry, the expiry would have been 1 hour. >> I still don't understand what you are doing. Preceding the 'klist', >> are you doing a 'kinit'? If so, how? >> >> >> Now I am a bit puzzled...? So you have a Samba AD on which you tried >> to set the user ticket lifetime to 24 hours using 'kdc:user ticket >> lifetime = 24'. And you have a machine which is client to the Samba >> AD. Although the lifetime setting is 24 hours, the client shows a >> ticket lifetime of 10 hours. Correct? >> >> What does the 'klist' output look like? I would like to see what kind >> of tickets you get, since if these are service tickets, then you >> might try 'kdc:service ticket lifetime = 24'. >> >> >> The 'gensec_gssapi:requested_life_time' setting is for the Winbind >> kerberos ticket. I was assuming you where talking about a Samba >> member server, which also acts as a NFSv4 server, but I think I >> misunderstood. Sorry. >> >> >> -Remy > > Remy, > > On the domain controller (samba-ad-dc), I have in the config: kdc:user > ticket lifetime = 24 > > When I login to the client (which is using pam_winbind module), I have > 10 hour ticket life. > > From klist output on the client: > > Valid starting?????? Expires????????????? Service principal > 09/30/2020 19:13:38? 10/01/2020 05:13:37 > krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA > ??? renew until 10/07/2020 19:13:38 > > 10 hours. > > The client is mounting from an NFS server that is also part of the > domain. > > I do notice that if I modify ticket_lifetime via /etc/krb5.conf on the > client, it only takes effect if I use kinit, and that isn't really > testing winbind. > > After I understood that winbind should renew the ticket for me, I > wanted to test that, so the intention was to change kdc:user ticket > lifetime = 1 and see what happens in an hour on client? - would the > ticket be renewed, and I would continue to have access to the NFS > share, or would I be receiving an error and require kinit.? Even these > "kdc:" options are not part of smb man page.? I don't really > understand why.? I guess everyone keeps the defaults?This morning, 10 hours after the original ticket, I note the following: 1) On the system I logged into via GNOME, the Kerberos ticket has been renewed: Yesterday it was: Valid starting?????? Expires????????????? Service principal 09/30/2020 19:13:38? 10/01/2020 05:13:37 krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA ??? renew until 10/07/2020 19:13:38 Today it is: Valid starting?????? Expires????????????? Service principal 10/01/2020 07:58:51? 10/01/2020 17:58:50 krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA ??? renew until 10/08/2020 07:58:51 That worked. Nice. However, I had also SSHed to another Linux system in the domain with a forwarded Kerberos ticket.? That system also uses pam_winbind.? On that one, the auto renewal did not work. Yesterday: Valid starting?????? Expires????????????? Service principal 09/30/2020 21:20:37? 10/01/2020 07:13:34 krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA ??? renew until 10/07/2020 19:13:38 Today: Valid starting?????? Expires????????????? Service principal 09/30/2020 21:20:37? 10/01/2020 07:13:34 krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA ??? renew until 10/07/2020 19:13:38 % ls ls: cannot open directory .: Key has expired I can't, of course, kinit -R because the ticket has expired.? I tried it just for fun:> % kinit -R > kinit: Ticket expired while renewing credentialsI have two options.? I can "kinit" on the system, and the ticket would be renewed.? I also did an ssh to the system from another window, and now: Valid starting?????? Expires????????????? Service principal 10/01/2020 08:09:10? 10/01/2020 17:58:50 krbtgt/AD.EECS.YORKU.CA at AD.EECS.YORKU.CA ??? renew until 10/08/2020 07:58:51 The new ticket comes through.? Now an "ls" works on the NFS mount. So why is it that winbind renews the ticket on the original system, but on the system that I ssh to, it does not. Jason.