On 02/10/2020 13:01, Jason Keltz via samba wrote:> On 10/2/2020 5:25 AM, Rowland penny via samba wrote: > >> On 01/10/2020 21:46, Rowland penny via samba wrote: >>> On 01/10/2020 21:23, Jason Keltz via samba wrote: >>>> >>>> >>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug. >>>> >>>> Let's wait and see what happens with your ticket after 10 hours. >>>> Maybe there's a bug there as well. >>> It will be in the middle of the night here, so I will report back in >>> the morning, but if it is a bug (not refreshing, that is), then it >>> is an RHEL one, it works on Debian. >> >> OK, I still have a valid kerberos ticket, it just doesn't seem to >> have been refreshed when I expected :-\ >> >> Old ticket: >> >> Ticket cache: FILE:/tmp/krb5cc_10000 >> Default principal: rowland at SAMDOM.EXAMPLE.COM >> >> Valid starting???? Expires??????????? Service principal >> 01/10/20 15:34:44? 02/10/20 01:34:44 >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >> ??? renew until 08/10/20 15:34:44 >> 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM >> ??? renew until 08/10/20 15:34:44 >> >> New ticket: >> >> Ticket cache: FILE:/tmp/krb5cc_10000 >> Default principal: rowland at SAMDOM.EXAMPLE.COM >> >> Valid starting???? Expires??????????? Service principal >> 02/10/20 06:41:20? 02/10/20 16:41:20 >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >> ??? renew until 08/10/20 15:41:17 > > In your case, did you ssh to "centos8", or you just logged into it via > a GUI?? When I login via the GUI, winbind renews the key. When I ssh, > it does not.? On your destination system, the ticket cache is still > /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>. > > In my case, even after I copied the /tmp/krb5cc_UID_<random bits> back > to /tmp/krb5cc_UID, winbind also did not renew the key. sigh. > > Jason. > >I logged in via 'ssh' and until I added pam_krb5, I didn't get a ticket. I think your problem is the lack of pam_krb5 Rowland
On 10/2/2020 8:05 AM, Rowland penny via samba wrote:> On 02/10/2020 13:01, Jason Keltz via samba wrote: >> On 10/2/2020 5:25 AM, Rowland penny via samba wrote: >> >>> On 01/10/2020 21:46, Rowland penny via samba wrote: >>>> On 01/10/2020 21:23, Jason Keltz via samba wrote: >>>>> >>>>> >>>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug. >>>>> >>>>> Let's wait and see what happens with your ticket after 10 hours. >>>>> Maybe there's a bug there as well. >>>> It will be in the middle of the night here, so I will report back >>>> in the morning, but if it is a bug (not refreshing, that is), then >>>> it is an RHEL one, it works on Debian. >>> >>> OK, I still have a valid kerberos ticket, it just doesn't seem to >>> have been refreshed when I expected :-\ >>> >>> Old ticket: >>> >>> Ticket cache: FILE:/tmp/krb5cc_10000 >>> Default principal: rowland at SAMDOM.EXAMPLE.COM >>> >>> Valid starting???? Expires??????????? Service principal >>> 01/10/20 15:34:44? 02/10/20 01:34:44 >>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >>> ??? renew until 08/10/20 15:34:44 >>> 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM >>> ??? renew until 08/10/20 15:34:44 >>> >>> New ticket: >>> >>> Ticket cache: FILE:/tmp/krb5cc_10000 >>> Default principal: rowland at SAMDOM.EXAMPLE.COM >>> >>> Valid starting???? Expires??????????? Service principal >>> 02/10/20 06:41:20? 02/10/20 16:41:20 >>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >>> ??? renew until 08/10/20 15:41:17 >> >> In your case, did you ssh to "centos8", or you just logged into it >> via a GUI?? When I login via the GUI, winbind renews the key. When I >> ssh, it does not.? On your destination system, the ticket cache is >> still /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>. >> >> In my case, even after I copied the /tmp/krb5cc_UID_<random bits> >> back to /tmp/krb5cc_UID, winbind also did not renew the key. sigh. >> >> Jason. >> >> > I logged in via 'ssh' and until I added pam_krb5, I didn't get a > ticket. I think your problem is the lack of pam_krb5 >But I ssh to the system and the ticket already forwards.? The problem is just that winbind isn't automatically renewing the ticket.?? Do you have "forwardable=true" in /etc/krb5.conf, and did you use "ssh -K <host>" or do you have GSSAPIDelegateCredentials enabled? Jason.
On 02/10/2020 13:20, Jason Keltz via samba wrote:> On 10/2/2020 8:05 AM, Rowland penny via samba wrote: > >> On 02/10/2020 13:01, Jason Keltz via samba wrote: >>> On 10/2/2020 5:25 AM, Rowland penny via samba wrote: >>> >>>> On 01/10/2020 21:46, Rowland penny via samba wrote: >>>>> On 01/10/2020 21:23, Jason Keltz via samba wrote: >>>>>> >>>>>> >>>>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug. >>>>>> >>>>>> Let's wait and see what happens with your ticket after 10 hours. >>>>>> Maybe there's a bug there as well. >>>>> It will be in the middle of the night here, so I will report back >>>>> in the morning, but if it is a bug (not refreshing, that is), then >>>>> it is an RHEL one, it works on Debian. >>>> >>>> OK, I still have a valid kerberos ticket, it just doesn't seem to >>>> have been refreshed when I expected :-\ >>>> >>>> Old ticket: >>>> >>>> Ticket cache: FILE:/tmp/krb5cc_10000 >>>> Default principal: rowland at SAMDOM.EXAMPLE.COM >>>> >>>> Valid starting???? Expires??????????? Service principal >>>> 01/10/20 15:34:44? 02/10/20 01:34:44 >>>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >>>> ??? renew until 08/10/20 15:34:44 >>>> 01/10/20 15:34:44? 02/10/20 01:34:44 CEN8$@SAMDOM.EXAMPLE.COM >>>> ??? renew until 08/10/20 15:34:44 >>>> >>>> New ticket: >>>> >>>> Ticket cache: FILE:/tmp/krb5cc_10000 >>>> Default principal: rowland at SAMDOM.EXAMPLE.COM >>>> >>>> Valid starting???? Expires??????????? Service principal >>>> 02/10/20 06:41:20? 02/10/20 16:41:20 >>>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >>>> ??? renew until 08/10/20 15:41:17 >>> >>> In your case, did you ssh to "centos8", or you just logged into it >>> via a GUI?? When I login via the GUI, winbind renews the key. When I >>> ssh, it does not.? On your destination system, the ticket cache is >>> still /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>. >>> >>> In my case, even after I copied the /tmp/krb5cc_UID_<random bits> >>> back to /tmp/krb5cc_UID, winbind also did not renew the key. sigh. >>> >>> Jason. >>> >>> >> I logged in via 'ssh' and until I added pam_krb5, I didn't get a >> ticket. I think your problem is the lack of pam_krb5 >> > But I ssh to the system and the ticket already forwards.? The problem > is just that winbind isn't automatically renewing the ticket.?? Do you > have "forwardable=true" in /etc/krb5.conf, and did you use "ssh -K > <host>" or do you have GSSAPIDelegateCredentials enabled? > > Jason. >No, no and no I just use pam_krb5 Rowland