Hi list,I want to make winbind kerberos ticket refresh work but I couldn't do it with configuration below: ------ smb.conf ------security = ADS workgroup = MYDOMAINrealm = MYDOMAIN.ORG log file = /var/log/samba/%m.loglog level = 6enable core files = no idmap config * : backend = tdbidmap config * : range = 3000-7999idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range = 10000-999999 dedicated keytab file = /etc/krb5.keytabkerberos method = secrets and keytab template shell = /bin/bash template homedir = /home/%D/%U winbind use default domain = yeswinbind refresh tickets = yeswinbind offline logon = yes winbind enum groups = nowinbind enum users = nowinbind expand groups = 1winbind nested groups = yeswinbind offline logon = yes ------ common-auth ------auth? ? [success=2 default=ignore]? ? ? pam_unix.so nullok_secureauth? ? [success=1 default=ignore]? ? ? pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_passauth? ? requisite? ? ? ? ? ? ? ? ? ? ? ?pam_deny.soauth? ? required? ? ? ? ? ? ? ? ? ? ? ? pam_permit.so ------ pam_winbind.conf ------[global] krb5_auth = yes krb5_ccache_type = FILE cached_login = yes silent = no ------ some tests ------# net ads testjoinJoin is OK ?# klist -kKeytab name: FILE:/etc/krb5.keytabKVNO Principal---- --------------------------------------------------------------------------? ?2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 host/client28 at MYDOMAIN.ORG? ?2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 host/client28 at MYDOMAIN.ORG? ?2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 host/client28 at MYDOMAIN.ORG? ?2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 host/client28 at MYDOMAIN.ORG? ?2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 host/client28 at MYDOMAIN.ORG? ?2 client28$@MYDOMAIN.ORG? ?2 client28$@MYDOMAIN.ORG? ?2 client28$@MYDOMAIN.ORG? ?2 client28$@MYDOMAIN.ORG? ?2 client28$@MYDOMAIN.OR $ klist?Ticket cache: FILE:/tmp/krb5cc_582587Default principal: john.doe at MYDOMAIN.ORG Valid starting? ? ? ?Expires? ? ? ? ? ? ? Service principal16-08-2019 17:07:46? 17-08-2019 03:07:46? krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG renew until 23-08-2019 16:08:4416-08-2019 17:07:48? 17-08-2019 03:07:46? HTTP/proxy.mydomain.org@ renew until 23-08-2019 16:08:4416-08-2019 17:07:48? 17-08-2019 03:07:46? HTTP/proxy.mydomain.org at MYDOMAIN.ORG renew until 23-08-2019 16:08:44 According to "klist" output of user john.doe at MYDOMAIN.ORG, kerberos ticket is expired but there is still time for renew it. Can winbind capable of extend his ticket as long as his session active? Should I do some extra work to this automatic process work? In my case, after 10 hours, users can't use our web gateway (http proxy) due to the expired keys. Users should do "kinit -R" to refresh tickets which doesn't make any sense if winbind is capable of extend ticket's validation automatically with a proper configuration. Any suggestion appreciated. Regards. Samba 4.10.6 (van-belle repo)Debian 10 __Taner Tas
Hai, Below is a bit garbled, but what about. What did you set for you proxy server? Did you enable the "This computer is allowed to Delegate (only kerberos ) samba-tool delegation for-any-service COMPUTERNAME$ on And have you tried to increase the ticket lifetime in /etc/krb5.conf For example: ticket_lifetime = 24h Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Taner Tas via samba > Verzonden: maandag 19 augustus 2019 10:32 > Aan: samba at lists.samba.org > Onderwerp: [Samba] How does "winbind refresh tickets" work? > > Hi list,I want to make winbind kerberos ticket refresh work > but I couldn't do it with configuration below: > ------ smb.conf ------security = ADS > workgroup = MYDOMAINrealm = MYDOMAIN.ORG > log file = /var/log/samba/%m.loglog level = 6enable core files = no > idmap config * : backend = tdbidmap config * : range = > 3000-7999idmap config MYDOMAIN : backend = rid > idmap config MYDOMAIN : range = 10000-999999 > dedicated keytab file = /etc/krb5.keytabkerberos method = > secrets and keytab > template shell = /bin/bash > template homedir = /home/%D/%U > winbind use default domain = yeswinbind refresh tickets = > yeswinbind offline logon = yes > winbind enum groups = nowinbind enum users = nowinbind expand > groups = 1winbind nested groups = yeswinbind offline logon = yes > ------ common-auth ------auth? ? [success=2 default=ignore]? ? > ? pam_unix.so nullok_secureauth? ? [success=1 > default=ignore]? ? ? pam_winbind.so krb5_auth > krb5_ccache_type=FILE cached_login try_first_passauth? ? > requisite? ? ? ? ? ? ? ? ? ? ? ?pam_deny.soauth? ? required? ? > ? ? ? ? ? ? ? ? ? ? pam_permit.so > ------ pam_winbind.conf ------[global] krb5_auth = yes > krb5_ccache_type = FILE cached_login = yes silent = no > ------ some tests ------# net ads testjoinJoin is OK > > ?# klist -kKeytab name: FILE:/etc/krb5.keytabKVNO > Principal---- > -------------------------------------------------------------- > ------------? ?2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 > host/client28 at MYDOMAIN.ORG? ?2 > host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 > host/client28 at MYDOMAIN.ORG? ?2 > host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 > host/client28 at MYDOMAIN.ORG? ?2 > host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 > host/client28 at MYDOMAIN.ORG? ?2 > host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 > host/client28 at MYDOMAIN.ORG? ?2 client28$@MYDOMAIN.ORG? ?2 > client28$@MYDOMAIN.ORG? ?2 client28$@MYDOMAIN.ORG? ?2 > client28$@MYDOMAIN.ORG? ?2 client28$@MYDOMAIN.OR > $ klist?Ticket cache: FILE:/tmp/krb5cc_582587Default > principal: john.doe at MYDOMAIN.ORG > Valid starting? ? ? ?Expires? ? ? ? ? ? ? Service > principal16-08-2019 17:07:46? 17-08-2019 03:07:46? > krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG renew until 23-08-2019 > 16:08:4416-08-2019 17:07:48? 17-08-2019 03:07:46? > HTTP/proxy.mydomain.org@ renew until 23-08-2019 > 16:08:4416-08-2019 17:07:48? 17-08-2019 03:07:46? > HTTP/proxy.mydomain.org at MYDOMAIN.ORG renew until 23-08-2019 16:08:44 > According to "klist" output of user john.doe at MYDOMAIN.ORG, > kerberos ticket is expired but there is still time for renew > it. Can winbind capable of extend his ticket as long as his > session active? Should I do some extra work to this automatic > process work? In my case, after 10 hours, users can't use our > web gateway (http proxy) due to the expired keys. Users > should do "kinit -R" to refresh tickets which doesn't make > any sense if winbind is capable of extend ticket's validation > automatically with a proper configuration. > Any suggestion appreciated. > Regards. > Samba 4.10.6 (van-belle repo)Debian 10 > __Taner Tas > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 19/08/2019 09:31, Taner Tas via samba wrote:> Hi list,I want to make winbind kerberos ticket refresh work but I couldn't do it with configuration below: > ------ smb.conf ------security = ADS > workgroup = MYDOMAINrealm = MYDOMAIN.ORG > log file = /var/log/samba/%m.loglog level = 6enable core files = no > idmap config * : backend = tdbidmap config * : range = 3000-7999idmap config MYDOMAIN : backend = rid > idmap config MYDOMAIN : range = 10000-999999 > dedicated keytab file = /etc/krb5.keytabkerberos method = secrets and keytab > template shell = /bin/bash > template homedir = /home/%D/%U > winbind use default domain = yeswinbind refresh tickets = yeswinbind offline logon = yes > winbind enum groups = nowinbind enum users = nowinbind expand groups = 1winbind nested groups = yeswinbind offline logon = yes > ------ common-auth ------auth? ? [success=2 default=ignore]? ? ? pam_unix.so nullok_secureauth? ? [success=1 default=ignore]? ? ? pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_passauth? ? requisite? ? ? ? ? ? ? ? ? ? ? ?pam_deny.soauth? ? required? ? ? ? ? ? ? ? ? ? ? ? pam_permit.so > ------ pam_winbind.conf ------[global] krb5_auth = yes > krb5_ccache_type = FILE cached_login = yes silent = no > ------ some tests ------# net ads testjoinJoin is OK > > ?# klist -kKeytab name: FILE:/etc/krb5.keytabKVNO Principal---- --------------------------------------------------------------------------? ?2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 host/client28 at MYDOMAIN.ORG? ?2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 host/client28 at MYDOMAIN.ORG? ?2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 host/client28 at MYDOMAIN.ORG? ?2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 host/client28 at MYDOMAIN.ORG? ?2 host/client28.MYDOMAIN.ORG at MYDOMAIN.ORG? ?2 host/client28 at MYDOMAIN.ORG? ?2 client28$@MYDOMAIN.ORG? ?2 client28$@MYDOMAIN.ORG? ?2 client28$@MYDOMAIN.ORG? ?2 client28$@MYDOMAIN.ORG? ?2 client28$@MYDOMAIN.OR > $ klist?Ticket cache: FILE:/tmp/krb5cc_582587Default principal: john.doe at MYDOMAIN.ORG > Valid starting? ? ? ?Expires? ? ? ? ? ? ? Service principal16-08-2019 17:07:46? 17-08-2019 03:07:46? krbtgt/MYDOMAIN.ORG at MYDOMAIN.ORG renew until 23-08-2019 16:08:4416-08-2019 17:07:48? 17-08-2019 03:07:46? HTTP/proxy.mydomain.org@ renew until 23-08-2019 16:08:4416-08-2019 17:07:48? 17-08-2019 03:07:46? HTTP/proxy.mydomain.org at MYDOMAIN.ORG renew until 23-08-2019 16:08:44 > According to "klist" output of user john.doe at MYDOMAIN.ORG, kerberos ticket is expired but there is still time for renew it. Can winbind capable of extend his ticket as long as his session active? Should I do some extra work to this automatic process work? In my case, after 10 hours, users can't use our web gateway (http proxy) due to the expired keys. Users should do "kinit -R" to refresh tickets which doesn't make any sense if winbind is capable of extend ticket's validation automatically with a proper configuration. > Any suggestion appreciated. > Regards. > Samba 4.10.6 (van-belle repo)Debian 10 > __Taner TasTry this: apt-get install libpam-krb5 Rowland
Hi,
I just checked (enabled) "Trust this computer delegation to any service
(Kerberos only)" for proxy server which wasn't checked before.?
I tested it after installing libpam-krb5 (which Rowland advised) with
/etc/krb5.conf below.
------ krb5.conf ------
[libdefaults]
? ? ? ? default_realm = MYDOMAIN.ORG
? ? ? ? dns_lookup_realm = false
? ? ? ? dns_lookup_kdc = true
? ? ? ? ticket_lifetime = 5m
? ? ? ? renew_lifetime = 6m
[realms]
MYDOMAIN.ORG = {
default_principal_flags = +renewable
}
------?
I used small time steps (5m+1m) in order to observe the behavior but
unfortunately it didn't work. Ticket doesn't get updated by winbind.
Any further advice?
__
Taner Tas
On Monday, August 19, 2019, 11:48:20 AM GMT+3, L.P.H. van Belle via samba
<samba at lists.samba.org> wrote:
Hai,?
Below is a bit garbled, but what about.
What did you set for you proxy server?
Did you enable the "This computer is allowed to Delegate (only kerberos )
samba-tool delegation for-any-service COMPUTERNAME$ on
And have you tried to increase the ticket lifetime in /etc/krb5.conf
For example:? ? ticket_lifetime = 24h
Greetz,
Louis