Hi. I have a question about Kerberos ticket lifetime in AD with Samba. I'm running on CentOS 7 with Samba 4.11.? If I change "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client /etc.krb5.conf, it doesn't seem to make a difference. When I log out and back in to the client? (that is using pam_winbind), I still get a 10 hour ticket time.? I found this page: https://wiki.samba.org/index.php/Samba_KDC_Settings and tried setting "kdc:user ticket lifetime = 24" on the DC even though this doesn't even appear in smb.conf man page but didn't seem to have any effect either.? Would someone please clarify? Also, it's not clear whether it is even necessary for me to adjust the ticket_lifetime or whether winbind will? renew the ticket until the expiry time automatically (and hence the ticket lifetime isn't such a big deal).?? Note that in the man page for pam_winbind.conf, krb5_auth option says: "When this parameter is used in conjunction with winbind refresh tickets, winbind will keep your Ticket Granting Ticket (TGT) uptodate by? refreshing it whenever necessary. Defaults to "no".? However, there's no option "winbind refresh tickets" in the man page.? There's not an entry for it in examples/pam_winbind/pam_winbind.conf in the source either, but I think it's actually doing that. Thanks, Jason
On 30/09/2020 15:51, Jason Keltz via samba wrote:> Hi. > > I have a question about Kerberos ticket lifetime in AD with Samba. > > I'm running on CentOS 7 with Samba 4.11.? If I change > "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client > /etc.krb5.conf, it doesn't seem to make a difference. When I log out > and back in to the client? (that is using pam_winbind), I still get a > 10 hour ticket time.? I found this page: > > https://wiki.samba.org/index.php/Samba_KDC_Settings > > and tried setting "kdc:user ticket lifetime = 24" on the DC even > though this doesn't even appear in smb.conf man page but didn't seem > to have any effect either.? Would someone please clarify? > > Also, it's not clear whether it is even necessary for me to adjust the > ticket_lifetime or whether winbind will? renew the ticket until the > expiry time automatically (and hence the ticket lifetime isn't such a > big deal).?? Note that in the man page for pam_winbind.conf, krb5_auth > option says: "When this parameter is used in conjunction with winbind > refresh tickets, winbind will keep your Ticket Granting Ticket (TGT) > uptodate by? refreshing it whenever necessary. Defaults to "no".? > However, there's no option "winbind refresh tickets" in the man page.? > There's not an entry for it in examples/pam_winbind/pam_winbind.conf > in the source either, but I think it's actually doing that. >It is documented in 'map smb.conf'. Just add 'winbind refresh tickets = yes' to smb.conf, this should ensure your kerberos tickets are kept up to date. Rowland
On 9/30/2020 11:15 AM, Rowland penny via samba wrote:> On 30/09/2020 15:51, Jason Keltz via samba wrote: >> Hi. >> >> I have a question about Kerberos ticket lifetime in AD with Samba. >> >> I'm running on CentOS 7 with Samba 4.11.? If I change >> "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client >> /etc.krb5.conf, it doesn't seem to make a difference. When I log out >> and back in to the client? (that is using pam_winbind), I still get a >> 10 hour ticket time.? I found this page: >> >> https://wiki.samba.org/index.php/Samba_KDC_Settings >> >> and tried setting "kdc:user ticket lifetime = 24" on the DC even >> though this doesn't even appear in smb.conf man page but didn't seem >> to have any effect either.? Would someone please clarify? >> >> Also, it's not clear whether it is even necessary for me to adjust >> the ticket_lifetime or whether winbind will? renew the ticket until >> the expiry time automatically (and hence the ticket lifetime isn't >> such a big deal).?? Note that in the man page for pam_winbind.conf, >> krb5_auth option says: "When this parameter is used in conjunction >> with winbind refresh tickets, winbind will keep your Ticket Granting >> Ticket (TGT) uptodate by? refreshing it whenever necessary. Defaults >> to "no".? However, there's no option "winbind refresh tickets" in the >> man page.? There's not an entry for it in >> examples/pam_winbind/pam_winbind.conf in the source either, but I >> think it's actually doing that. >> > It is documented in 'map smb.conf'. > > Just add 'winbind refresh tickets = yes' to smb.conf, this should > ensure your kerberos tickets are kept up to date.Thanks, Roland. I remembered seeing that setting but couldn't remember where I saw it.? The man page for pam_winbind.conf should refer to "winbind refresh tickets" in smb.conf.? Any idea how to change the other ticket values though? I want to do testing on what happens to NFS4 mounts after expiry without waiting for 7 days. :) Jason.