On 01/10/2020 00:23, Jason Keltz via samba wrote:> > Remy, > > On the domain controller (samba-ad-dc), I have in the config: kdc:user > ticket lifetime = 24I do not recognise that smb.conf option, could this be another freebsd change that was never sent upstream or, if it was, it was rejected ?> > When I login to the client (which is using pam_winbind module), I have > 10 hour ticket life.That is the default.> > The client is mounting from an NFS server that is also part of the > domain. > > I do notice that if I modify ticket_lifetime via /etc/krb5.conf on the > client, it only takes effect if I use kinit, and that isn't really > testing winbind. > > After I understood that winbind should renew the ticket for me, I > wanted to test that, so the intention was to change kdc:user ticket > lifetime = 1 and see what happens in an hour on client? - would the > ticket be renewed, and I would continue to have access to the NFS > share, or would I be receiving an error and require kinit.? Even these > "kdc:" options are not part of smb man page.? I don't really > understand why.? I guess everyone keeps the defaults?Provided you have 'winbind refresh tickets = yes' in the smb.conf on the Unix domain member, the users tickets will be renewed when required. Rowland
> On 1 Oct 2020, at 10:31, Rowland penny via samba <samba at lists.samba.org> wrote: > > On 01/10/2020 00:23, Jason Keltz via samba wrote: >> >> Remy, >> >> On the domain controller (samba-ad-dc), I have in the config: kdc:user ticket lifetime = 24 > I do not recognise that smb.conf option, could this be another freebsd change that was never sent upstream or, if it was, it was rejected ?Uh, no? https://wiki.samba.org/index.php/Samba_KDC_Settings <https://wiki.samba.org/index.php/Samba_KDC_Settings> So the question is, is that info on the Wiki (still) valid and if so, why isn't it documented in the smb.conf man page?>> >> When I login to the client (which is using pam_winbind module), I have 10 hour ticket life. > That is the default. >> >> The client is mounting from an NFS server that is also part of the domain. >> >> I do notice that if I modify ticket_lifetime via /etc/krb5.conf on the client, it only takes effect if I use kinit, and that isn't really testing winbind. >> >> After I understood that winbind should renew the ticket for me, I wanted to test that, so the intention was to change kdc:user ticket lifetime = 1 and see what happens in an hour on client - would the ticket be renewed, and I would continue to have access to the NFS share, or would I be receiving an error and require kinit. Even these "kdc:" options are not part of smb man page. I don't really understand why. I guess everyone keeps the defaults? > > Provided you have 'winbind refresh tickets = yes' in the smb.conf on the Unix domain member, the users tickets will be renewed when required.-Remy
On 01/10/2020 11:22, Remy Zandwijk wrote:> > >> On 1 Oct 2020, at 10:31, Rowland penny via samba >> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >> >> On 01/10/2020 00:23, Jason Keltz via samba wrote: >>> >>> Remy, >>> >>> On the domain controller (samba-ad-dc), I have in the config: >>> kdc:user ticket lifetime = 24 >> I do not recognise that smb.conf option, could this be another >> freebsd change that was never sent upstream or, if it was, it was >> rejected ? > > Uh, no? > > https://wiki.samba.org/index.php/Samba_KDC_Settings > > So the question is, is that info on the Wiki (still) valid and if so, > why isn't it documented in the smb.conf man page?Well, you learn something new everyday :-) A quick search in 'man smb.conf' on 'kdc', turns this up: gpo update command (G) This option sets the command that is called to apply GPO policies. The samba?gpupdate script applies System Access and Kerberos Policies to the KDC. System Access policies set minPwdAge, maxPwdAge, minPwdLength, and pwdProperties in the samdb. Kerberos Policies set kdc:service ticket lifetime, kdc:user ticket lifetime, and kdc:renewal lifetime in smb.conf. Apart from the wiki page (which dates back to 2014), that is it. Let me look into this further. Rowland