On 10/1/2020 4:10 PM, Rowland penny via samba wrote:> On 01/10/2020 20:47, Jason Keltz via samba wrote: >> >> Hi Rowland, >> >> In my case, I think I may know why pam_winbind is not renewing the >> ticket before it expires. >> > I don't think it matters about the extra characters in the ticket > name, I think the ticket search looks for a ticket that is owned by > the user. I also don't think ssh is forwarding the ticket, it gets a > new one for the user. > > If you are using RHEL7 (or a clone), you are going to love RHEL8, they > have removed pam_krb5. > > I have tested the 'kdc:*****' lines in smb.conf on a Unix domain > member and? they do not work for myself, I am now waiting overnight to > see if a users ticket gets refreshed after 10 hours.Okay - I guess the failure of kdc: lines in smb.conf is a bug. Let's wait and see what happens with your ticket after 10 hours. Maybe there's a bug there as well. Just for fun, I tried to copy the ticket with random characters to /tmp/krb5cc_<uid>, then unset KRB5CCNAME after the SSH, and I too will see after 10 hours whether winbind magically renews the ticket now that the ticket doesn't have the random chars in the name. I'm not using pam_krb5.? I was under the impression it's not necessary.? I'm just using pam_winbind. I thought that the reason I could ssh from one system in the domain to another system in the domain while holding a valid Kerberos ticket was because the TGT got forwarded from the original host to the new host, but I may be misunderstanding the protocol. Jason.
On 01/10/2020 21:23, Jason Keltz via samba wrote:> > On 10/1/2020 4:10 PM, Rowland penny via samba wrote: >> On 01/10/2020 20:47, Jason Keltz via samba wrote: >>> >>> Hi Rowland, >>> >>> In my case, I think I may know why pam_winbind is not renewing the >>> ticket before it expires. >>> >> I don't think it matters about the extra characters in the ticket >> name, I think the ticket search looks for a ticket that is owned by >> the user. I also don't think ssh is forwarding the ticket, it gets a >> new one for the user. >> >> If you are using RHEL7 (or a clone), you are going to love RHEL8, >> they have removed pam_krb5. >> >> I have tested the 'kdc:*****' lines in smb.conf on a Unix domain >> member and? they do not work for myself, I am now waiting overnight >> to see if a users ticket gets refreshed after 10 hours. > > Okay - I guess the failure of kdc: lines in smb.conf is a bug. > > Let's wait and see what happens with your ticket after 10 hours. Maybe > there's a bug there as well.It will be in the middle of the night here, so I will report back in the morning, but if it is a bug (not refreshing, that is), then it is an RHEL one, it works on Debian.> > Just for fun, I tried to copy the ticket with random characters to > /tmp/krb5cc_<uid>, then unset KRB5CCNAME after the SSH, and I too will > see after 10 hours whether winbind magically renews the ticket now > that the ticket doesn't have the random chars in the name. > > I'm not using pam_krb5.? I was under the impression it's not > necessary.? I'm just using pam_winbind.Ahh, I didn't get a ticket on Centos8 until I downloaded the pam-krb5 source package from Centos7 and compiled and installed it, then set up PAM to use it.> > I thought that the reason I could ssh from one system in the domain to > another system in the domain while holding a valid Kerberos ticket was > because the TGT got forwarded from the original host to the new host, > but I may be misunderstanding the protocol.I am not an expert on kerberos, but I don't think it works that way, I have always had to install pam-krb5 to get kerberos to work with Samba. On RHEL8, pam-krb5 has been replaced by pam-sss, which is just a wrapper around sssd, which is a bit strange, even RHEL admits that you cannot use sssd with winbind. Rowland
On 01/10/2020 21:46, Rowland penny via samba wrote:> On 01/10/2020 21:23, Jason Keltz via samba wrote: >> >> >> Okay - I guess the failure of kdc: lines in smb.conf is a bug. >> >> Let's wait and see what happens with your ticket after 10 hours. >> Maybe there's a bug there as well. > It will be in the middle of the night here, so I will report back in > the morning, but if it is a bug (not refreshing, that is), then it is > an RHEL one, it works on Debian.OK, I still have a valid kerberos ticket, it just doesn't seem to have been refreshed when I expected :-\ Old ticket: Ticket cache: FILE:/tmp/krb5cc_10000 Default principal: rowland at SAMDOM.EXAMPLE.COM Valid starting???? Expires??????????? Service principal 01/10/20 15:34:44? 02/10/20 01:34:44 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM ??? renew until 08/10/20 15:34:44 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM ??? renew until 08/10/20 15:34:44 New ticket: Ticket cache: FILE:/tmp/krb5cc_10000 Default principal: rowland at SAMDOM.EXAMPLE.COM Valid starting???? Expires??????????? Service principal 02/10/20 06:41:20? 02/10/20 16:41:20 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM ??? renew until 08/10/20 15:41:17 Rowland