On 9/30/2020 11:15 AM, Rowland penny via samba wrote:> On 30/09/2020 15:51, Jason Keltz via samba wrote: >> Hi. >> >> I have a question about Kerberos ticket lifetime in AD with Samba. >> >> I'm running on CentOS 7 with Samba 4.11.? If I change >> "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client >> /etc.krb5.conf, it doesn't seem to make a difference. When I log out >> and back in to the client? (that is using pam_winbind), I still get a >> 10 hour ticket time.? I found this page: >> >> https://wiki.samba.org/index.php/Samba_KDC_Settings >> >> and tried setting "kdc:user ticket lifetime = 24" on the DC even >> though this doesn't even appear in smb.conf man page but didn't seem >> to have any effect either.? Would someone please clarify? >> >> Also, it's not clear whether it is even necessary for me to adjust >> the ticket_lifetime or whether winbind will? renew the ticket until >> the expiry time automatically (and hence the ticket lifetime isn't >> such a big deal).?? Note that in the man page for pam_winbind.conf, >> krb5_auth option says: "When this parameter is used in conjunction >> with winbind refresh tickets, winbind will keep your Ticket Granting >> Ticket (TGT) uptodate by? refreshing it whenever necessary. Defaults >> to "no".? However, there's no option "winbind refresh tickets" in the >> man page.? There's not an entry for it in >> examples/pam_winbind/pam_winbind.conf in the source either, but I >> think it's actually doing that. >> > It is documented in 'map smb.conf'. > > Just add 'winbind refresh tickets = yes' to smb.conf, this should > ensure your kerberos tickets are kept up to date.Thanks, Roland. I remembered seeing that setting but couldn't remember where I saw it.? The man page for pam_winbind.conf should refer to "winbind refresh tickets" in smb.conf.? Any idea how to change the other ticket values though? I want to do testing on what happens to NFS4 mounts after expiry without waiting for 7 days. :) Jason.
Hi Jason,> On 30 Sep 2020, at 17:38, Jason Keltz via samba <samba at lists.samba.org> wrote: > > > On 9/30/2020 11:15 AM, Rowland penny via samba wrote: >> On 30/09/2020 15:51, Jason Keltz via samba wrote: >>> Hi. >>> >>> I have a question about Kerberos ticket lifetime in AD with Samba. >>> >>> I'm running on CentOS 7 with Samba 4.11. If I change "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client /etc.krb5.conf, it doesn't seem to make a difference. When I log out and back in to the client (that is using pam_winbind), I still get a 10 hour ticket time. I found this page: >>> >>> https://wiki.samba.org/index.php/Samba_KDC_Settings >>> >>> and tried setting "kdc:user ticket lifetime = 24" on the DC even though this doesn't even appear in smb.conf man page but didn't seem to have any effect either. Would someone please clarify? >>> >>> Also, it's not clear whether it is even necessary for me to adjust the ticket_lifetime or whether winbind will renew the ticket until the expiry time automatically (and hence the ticket lifetime isn't such a big deal). Note that in the man page for pam_winbind.conf, krb5_auth option says: "When this parameter is used in conjunction with winbind refresh tickets, winbind will keep your Ticket Granting Ticket (TGT) uptodate by refreshing it whenever necessary. Defaults to "no". However, there's no option "winbind refresh tickets" in the man page. There's not an entry for it in examples/pam_winbind/pam_winbind.conf in the source either, but I think it's actually doing that. >>> >> It is documented in 'map smb.conf'. >> >> Just add 'winbind refresh tickets = yes' to smb.conf, this should ensure your kerberos tickets are kept up to date. > > Thanks, Roland. > > I remembered seeing that setting but couldn't remember where I saw it. The man page for pam_winbind.conf should refer to "winbind refresh tickets" in smb.conf. Any idea how to change the other ticket values though? I want to do testing on what happens to NFS4 mounts after expiry without waiting for 7 days. :)On the client, add: gensec_gssapi:requested_life_time = <int> # seconds to smb4.conf. E.g. a ticket life time of one hour: gensec_gssapi:requested_life_time = 3600 -Remy
> > On the client, add: > > gensec_gssapi:requested_life_time = <int> # seconds > > to smb4.conf. E.g. a ticket life time of one hour: > > gensec_gssapi:requested_life_time = 3600Sorry, I should have written 'Samba member server' instead of 'client', although technically speaking, the member server is an AD client.