On 10/1/2020 8:41 AM, Rowland penny via samba wrote:> On 01/10/2020 13:38, Jason Keltz via samba wrote:
>> On 10/1/2020 8:34 AM, Rowland penny via samba wrote:
>>
>>> On 01/10/2020 13:30, Jason Keltz via samba wrote:
>>>> On 10/1/2020 8:28 AM, Rowland penny via samba wrote:
>>>>
>>>>> On 01/10/2020 13:17, Jason Keltz via samba wrote:
>>>>>> So why is it that winbind renews the ticket on the
original
>>>>>> system, but on the system that I ssh to, it does not.
>>>>>
>>>>> Do you have 'winbind refresh tickets = yes' set on
all the systems ?
>>>>
>>>> Absolutely.? In fact,? both systems are using the identical
>>>> smb.conf, identical PAM configuration, and idential
pam_winbind.conf.
>>>>
>>>> Jason.
>>>>
>>>>
>>> Thinking about it, when you login via ssh, PAM via pam-winbind
>>> should get you a new ticket on that client.
>>
>> It did do that.? However, I left myself logged in intentionally for
>
>> 10 hours on the system and winbind didn't auto renew the ticket.?
It
>> did renew it when I *re*sshed, but it should have renewed it on the
>> connection that was left open as well. On the system where I logged
>> in via GNOME and left it for > 10 hours, it did renew it.
>>
>> Jason.
>>
>>
> I am now testing this on Centos 8 and I didn't get a ticket, so let me
> look into this and get back to you.
>
> Rowland
Hi Rowland,
In my case, I think I may know why pam_winbind is not renewing the
ticket before it expires.
When I SSH from one system in the domain to another system in the
domain, SSH is forwarding the ticket to the system.? When I do a klist
on the destination system, I see the ticket.? Now,? I have no choice but
to use /tmp/krb5cc_<uid> as a ticket cache (because KEYRING simply
doesn't work with pam_winbind).? However, when I ssh, and do a klist,
the ticket cache file is not actually FILE:/tmp/krb5cc_<uid>.? Instead,
it is FILE:/tmp/krb5cc_1004_<10 random chars>.? I don't know if
it's SSH
that is adding the random characters, or something else, but I suspect
that it is ssh.? SInce I assume that winbind is only looking at
/tmp/krb5cc_<uid>, it doesn't know anything about the pending ticket
expiry in the other file, and it would appear that's why auto ticket
renewal is not working.?? Both systems have in /etc/krb5.conf:
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
(which is supposed to be the default anyway).? I don't know how to tell
ssh that when it's forwarding the ticket to write it to
/tmp/krb5cc_<uid> instead of /tmp/krb5cc_<uid>_<10 random
chars>.
If I change KRB5CCNAME, and hard-code it to the right path, the data
still gets written to the other file.
Hopefully you can provide some insight into this.
Jason.