samba - Oct 2020 - Kerberos ticket lifetime

On 01/10/2020 21:46, Rowland penny via samba wrote:
> On 01/10/2020 21:23, Jason Keltz via samba wrote:
>>
>>
>> Okay - I guess the failure of kdc: lines in smb.conf is a bug.
>>
>> Let's wait and see what happens with your ticket after 10 hours. 
>> Maybe there's a bug there as well.
> It will be in the middle of the night here, so I will report back in 
> the morning, but if it is a bug (not refreshing, that is), then it is 
> an RHEL one, it works on Debian.
OK, I still have a valid kerberos ticket, it just doesn't seem to have 
been refreshed when I expected :-\

Old ticket:

Ticket cache: FILE:/tmp/krb5cc_10000
Default principal: rowland at SAMDOM.EXAMPLE.COM

Valid starting???? Expires??????????? Service principal
01/10/20 15:34:44? 02/10/20 01:34:44 
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
 ??? renew until 08/10/20 15:34:44
01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM
 ??? renew until 08/10/20 15:34:44

New ticket:

Ticket cache: FILE:/tmp/krb5cc_10000
Default principal: rowland at SAMDOM.EXAMPLE.COM

Valid starting???? Expires??????????? Service principal
02/10/20 06:41:20? 02/10/20 16:41:20 
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
 ??? renew until 08/10/20 15:41:17

Rowland

On 10/2/2020 5:25 AM, Rowland penny via samba wrote:
> On 01/10/2020 21:46, Rowland penny via samba wrote:
>> On 01/10/2020 21:23, Jason Keltz via samba wrote:
>>>
>>>
>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug.
>>>
>>> Let's wait and see what happens with your ticket after 10
hours.
>>> Maybe there's a bug there as well.
>> It will be in the middle of the night here, so I will report back in 
>> the morning, but if it is a bug (not refreshing, that is), then it is 
>> an RHEL one, it works on Debian.
>
> OK, I still have a valid kerberos ticket, it just doesn't seem to have 
> been refreshed when I expected :-\
>
> Old ticket:
>
> Ticket cache: FILE:/tmp/krb5cc_10000
> Default principal: rowland at SAMDOM.EXAMPLE.COM
>
> Valid starting???? Expires??????????? Service principal
> 01/10/20 15:34:44? 02/10/20 01:34:44 
> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> ??? renew until 08/10/20 15:34:44
> 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM
> ??? renew until 08/10/20 15:34:44
>
> New ticket:
>
> Ticket cache: FILE:/tmp/krb5cc_10000
> Default principal: rowland at SAMDOM.EXAMPLE.COM
>
> Valid starting???? Expires??????????? Service principal
> 02/10/20 06:41:20? 02/10/20 16:41:20 
> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> ??? renew until 08/10/20 15:41:17 
In your case, did you ssh to "centos8", or you just logged into it via
a
GUI?? When I login via the GUI, winbind renews the key. When I ssh, it 
does not.? On your destination system, the ticket cache is still 
/tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>.

In my case, even after I copied the /tmp/krb5cc_UID_<random bits> back 
to /tmp/krb5cc_UID, winbind also did not renew the key. sigh.

Jason.

On 02/10/2020 13:01, Jason Keltz via samba wrote:
> On 10/2/2020 5:25 AM, Rowland penny via samba wrote:
>
>> On 01/10/2020 21:46, Rowland penny via samba wrote:
>>> On 01/10/2020 21:23, Jason Keltz via samba wrote:
>>>>
>>>>
>>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug.
>>>>
>>>> Let's wait and see what happens with your ticket after 10
hours.
>>>> Maybe there's a bug there as well.
>>> It will be in the middle of the night here, so I will report back
in
>>> the morning, but if it is a bug (not refreshing, that is), then it 
>>> is an RHEL one, it works on Debian.
>>
>> OK, I still have a valid kerberos ticket, it just doesn't seem to 
>> have been refreshed when I expected :-\
>>
>> Old ticket:
>>
>> Ticket cache: FILE:/tmp/krb5cc_10000
>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>
>> Valid starting???? Expires??????????? Service principal
>> 01/10/20 15:34:44? 02/10/20 01:34:44 
>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>> ??? renew until 08/10/20 15:34:44
>> 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM
>> ??? renew until 08/10/20 15:34:44
>>
>> New ticket:
>>
>> Ticket cache: FILE:/tmp/krb5cc_10000
>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>
>> Valid starting???? Expires??????????? Service principal
>> 02/10/20 06:41:20? 02/10/20 16:41:20 
>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>> ??? renew until 08/10/20 15:41:17 
>
> In your case, did you ssh to "centos8", or you just logged into
it via
> a GUI?? When I login via the GUI, winbind renews the key. When I ssh, 
> it does not.? On your destination system, the ticket cache is still 
> /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>.
>
> In my case, even after I copied the /tmp/krb5cc_UID_<random bits>
back
> to /tmp/krb5cc_UID, winbind also did not renew the key. sigh.
>
> Jason.
>
>
I logged in via 'ssh' and until I added pam_krb5, I didn't get a
ticket.
I think your problem is the lack of pam_krb5

Rowland

Maybe its.. 

authconfig --enablewinbindkrb5 --update 

Requirements to achieve this:

- A valid /etc/krb5.conf
- A valid system keytab /etc/krb5.keytab
- A valid /etc/samba/smb.conf -> will be modified by authconfig 

( found on internet worked in centos7  ) 

But better read.. 
https://sssd.io/docs/users/pam_krb5_migration.html 

Greetz, 

Louis


 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: vrijdag 2 oktober 2020 14:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Kerberos ticket lifetime
> 
> On 02/10/2020 13:01, Jason Keltz via samba wrote:
> > On 10/2/2020 5:25 AM, Rowland penny via samba wrote:
> >
> >> On 01/10/2020 21:46, Rowland penny via samba wrote:
> >>> On 01/10/2020 21:23, Jason Keltz via samba wrote:
> >>>>
> >>>>
> >>>> Okay - I guess the failure of kdc: lines in smb.conf is a
bug.
> >>>>
> >>>> Let's wait and see what happens with your ticket after
10 hours.
> >>>> Maybe there's a bug there as well.
> >>> It will be in the middle of the night here, so I will 
> report back in 
> >>> the morning, but if it is a bug (not refreshing, that 
> is), then it 
> >>> is an RHEL one, it works on Debian.
> >>
> >> OK, I still have a valid kerberos ticket, it just doesn't seem
to
> >> have been refreshed when I expected :-\
> >>
> >> Old ticket:
> >>
> >> Ticket cache: FILE:/tmp/krb5cc_10000
> >> Default principal: rowland at SAMDOM.EXAMPLE.COM
> >>
> >> Valid starting???? Expires??????????? Service principal
> >> 01/10/20 15:34:44? 02/10/20 01:34:44 
> >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> >> ??? renew until 08/10/20 15:34:44
> >> 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM
> >> ??? renew until 08/10/20 15:34:44
> >>
> >> New ticket:
> >>
> >> Ticket cache: FILE:/tmp/krb5cc_10000
> >> Default principal: rowland at SAMDOM.EXAMPLE.COM
> >>
> >> Valid starting???? Expires??????????? Service principal
> >> 02/10/20 06:41:20? 02/10/20 16:41:20 
> >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> >> ??? renew until 08/10/20 15:41:17 
> >
> > In your case, did you ssh to "centos8", or you just logged 
> into it via 
> > a GUI?? When I login via the GUI, winbind renews the key. 
> When I ssh, 
> > it does not.? On your destination system, the ticket cache is still 
> > /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>.
> >
> > In my case, even after I copied the /tmp/krb5cc_UID_<random 
> bits> back 
> > to /tmp/krb5cc_UID, winbind also did not renew the key. sigh.
> >
> > Jason.
> >
> >
> I logged in via 'ssh' and until I added pam_krb5, I didn't 
> get a ticket. 
> I think your problem is the lack of pam_krb5
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>