On 01/10/2020 21:46, Rowland penny via samba wrote:> On 01/10/2020 21:23, Jason Keltz via samba wrote: >> >> >> Okay - I guess the failure of kdc: lines in smb.conf is a bug. >> >> Let's wait and see what happens with your ticket after 10 hours. >> Maybe there's a bug there as well. > It will be in the middle of the night here, so I will report back in > the morning, but if it is a bug (not refreshing, that is), then it is > an RHEL one, it works on Debian.OK, I still have a valid kerberos ticket, it just doesn't seem to have been refreshed when I expected :-\ Old ticket: Ticket cache: FILE:/tmp/krb5cc_10000 Default principal: rowland at SAMDOM.EXAMPLE.COM Valid starting???? Expires??????????? Service principal 01/10/20 15:34:44? 02/10/20 01:34:44 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM ??? renew until 08/10/20 15:34:44 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM ??? renew until 08/10/20 15:34:44 New ticket: Ticket cache: FILE:/tmp/krb5cc_10000 Default principal: rowland at SAMDOM.EXAMPLE.COM Valid starting???? Expires??????????? Service principal 02/10/20 06:41:20? 02/10/20 16:41:20 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM ??? renew until 08/10/20 15:41:17 Rowland
On 10/2/2020 5:25 AM, Rowland penny via samba wrote:> On 01/10/2020 21:46, Rowland penny via samba wrote: >> On 01/10/2020 21:23, Jason Keltz via samba wrote: >>> >>> >>> Okay - I guess the failure of kdc: lines in smb.conf is a bug. >>> >>> Let's wait and see what happens with your ticket after 10 hours. >>> Maybe there's a bug there as well. >> It will be in the middle of the night here, so I will report back in >> the morning, but if it is a bug (not refreshing, that is), then it is >> an RHEL one, it works on Debian. > > OK, I still have a valid kerberos ticket, it just doesn't seem to have > been refreshed when I expected :-\ > > Old ticket: > > Ticket cache: FILE:/tmp/krb5cc_10000 > Default principal: rowland at SAMDOM.EXAMPLE.COM > > Valid starting???? Expires??????????? Service principal > 01/10/20 15:34:44? 02/10/20 01:34:44 > krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM > ??? renew until 08/10/20 15:34:44 > 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM > ??? renew until 08/10/20 15:34:44 > > New ticket: > > Ticket cache: FILE:/tmp/krb5cc_10000 > Default principal: rowland at SAMDOM.EXAMPLE.COM > > Valid starting???? Expires??????????? Service principal > 02/10/20 06:41:20? 02/10/20 16:41:20 > krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM > ??? renew until 08/10/20 15:41:17In your case, did you ssh to "centos8", or you just logged into it via a GUI?? When I login via the GUI, winbind renews the key. When I ssh, it does not.? On your destination system, the ticket cache is still /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>. In my case, even after I copied the /tmp/krb5cc_UID_<random bits> back to /tmp/krb5cc_UID, winbind also did not renew the key. sigh. Jason.
On 02/10/2020 13:01, Jason Keltz via samba wrote:> On 10/2/2020 5:25 AM, Rowland penny via samba wrote: > >> On 01/10/2020 21:46, Rowland penny via samba wrote: >>> On 01/10/2020 21:23, Jason Keltz via samba wrote: >>>> >>>> >>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug. >>>> >>>> Let's wait and see what happens with your ticket after 10 hours. >>>> Maybe there's a bug there as well. >>> It will be in the middle of the night here, so I will report back in >>> the morning, but if it is a bug (not refreshing, that is), then it >>> is an RHEL one, it works on Debian. >> >> OK, I still have a valid kerberos ticket, it just doesn't seem to >> have been refreshed when I expected :-\ >> >> Old ticket: >> >> Ticket cache: FILE:/tmp/krb5cc_10000 >> Default principal: rowland at SAMDOM.EXAMPLE.COM >> >> Valid starting???? Expires??????????? Service principal >> 01/10/20 15:34:44? 02/10/20 01:34:44 >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >> ??? renew until 08/10/20 15:34:44 >> 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM >> ??? renew until 08/10/20 15:34:44 >> >> New ticket: >> >> Ticket cache: FILE:/tmp/krb5cc_10000 >> Default principal: rowland at SAMDOM.EXAMPLE.COM >> >> Valid starting???? Expires??????????? Service principal >> 02/10/20 06:41:20? 02/10/20 16:41:20 >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >> ??? renew until 08/10/20 15:41:17 > > In your case, did you ssh to "centos8", or you just logged into it via > a GUI?? When I login via the GUI, winbind renews the key. When I ssh, > it does not.? On your destination system, the ticket cache is still > /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>. > > In my case, even after I copied the /tmp/krb5cc_UID_<random bits> back > to /tmp/krb5cc_UID, winbind also did not renew the key. sigh. > > Jason. > >I logged in via 'ssh' and until I added pam_krb5, I didn't get a ticket. I think your problem is the lack of pam_krb5 Rowland
Maybe its.. authconfig --enablewinbindkrb5 --update Requirements to achieve this: - A valid /etc/krb5.conf - A valid system keytab /etc/krb5.keytab - A valid /etc/samba/smb.conf -> will be modified by authconfig ( found on internet worked in centos7 ) But better read.. https://sssd.io/docs/users/pam_krb5_migration.html Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: vrijdag 2 oktober 2020 14:06 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Kerberos ticket lifetime > > On 02/10/2020 13:01, Jason Keltz via samba wrote: > > On 10/2/2020 5:25 AM, Rowland penny via samba wrote: > > > >> On 01/10/2020 21:46, Rowland penny via samba wrote: > >>> On 01/10/2020 21:23, Jason Keltz via samba wrote: > >>>> > >>>> > >>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug. > >>>> > >>>> Let's wait and see what happens with your ticket after 10 hours. > >>>> Maybe there's a bug there as well. > >>> It will be in the middle of the night here, so I will > report back in > >>> the morning, but if it is a bug (not refreshing, that > is), then it > >>> is an RHEL one, it works on Debian. > >> > >> OK, I still have a valid kerberos ticket, it just doesn't seem to > >> have been refreshed when I expected :-\ > >> > >> Old ticket: > >> > >> Ticket cache: FILE:/tmp/krb5cc_10000 > >> Default principal: rowland at SAMDOM.EXAMPLE.COM > >> > >> Valid starting???? Expires??????????? Service principal > >> 01/10/20 15:34:44? 02/10/20 01:34:44 > >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM > >> ??? renew until 08/10/20 15:34:44 > >> 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM > >> ??? renew until 08/10/20 15:34:44 > >> > >> New ticket: > >> > >> Ticket cache: FILE:/tmp/krb5cc_10000 > >> Default principal: rowland at SAMDOM.EXAMPLE.COM > >> > >> Valid starting???? Expires??????????? Service principal > >> 02/10/20 06:41:20? 02/10/20 16:41:20 > >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM > >> ??? renew until 08/10/20 15:41:17 > > > > In your case, did you ssh to "centos8", or you just logged > into it via > > a GUI?? When I login via the GUI, winbind renews the key. > When I ssh, > > it does not.? On your destination system, the ticket cache is still > > /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>. > > > > In my case, even after I copied the /tmp/krb5cc_UID_<random > bits> back > > to /tmp/krb5cc_UID, winbind also did not renew the key. sigh. > > > > Jason. > > > > > I logged in via 'ssh' and until I added pam_krb5, I didn't > get a ticket. > I think your problem is the lack of pam_krb5 > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >