samba - Oct 2020 - Kerberos ticket lifetime

On 02/10/2020 13:01, Jason Keltz via samba wrote:
> On 10/2/2020 5:25 AM, Rowland penny via samba wrote:
>
>> On 01/10/2020 21:46, Rowland penny via samba wrote:
>>> On 01/10/2020 21:23, Jason Keltz via samba wrote:
>>>>
>>>>
>>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug.
>>>>
>>>> Let's wait and see what happens with your ticket after 10
hours.
>>>> Maybe there's a bug there as well.
>>> It will be in the middle of the night here, so I will report back
in
>>> the morning, but if it is a bug (not refreshing, that is), then it 
>>> is an RHEL one, it works on Debian.
>>
>> OK, I still have a valid kerberos ticket, it just doesn't seem to 
>> have been refreshed when I expected :-\
>>
>> Old ticket:
>>
>> Ticket cache: FILE:/tmp/krb5cc_10000
>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>
>> Valid starting???? Expires??????????? Service principal
>> 01/10/20 15:34:44? 02/10/20 01:34:44 
>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>> ??? renew until 08/10/20 15:34:44
>> 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM
>> ??? renew until 08/10/20 15:34:44
>>
>> New ticket:
>>
>> Ticket cache: FILE:/tmp/krb5cc_10000
>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>
>> Valid starting???? Expires??????????? Service principal
>> 02/10/20 06:41:20? 02/10/20 16:41:20 
>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>> ??? renew until 08/10/20 15:41:17 
>
> In your case, did you ssh to "centos8", or you just logged into
it via
> a GUI?? When I login via the GUI, winbind renews the key. When I ssh, 
> it does not.? On your destination system, the ticket cache is still 
> /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>.
>
> In my case, even after I copied the /tmp/krb5cc_UID_<random bits>
back
> to /tmp/krb5cc_UID, winbind also did not renew the key. sigh.
>
> Jason.
>
>
I logged in via 'ssh' and until I added pam_krb5, I didn't get a
ticket.
I think your problem is the lack of pam_krb5

Rowland

On 10/2/2020 8:05 AM, Rowland penny via samba wrote:
> On 02/10/2020 13:01, Jason Keltz via samba wrote:
>> On 10/2/2020 5:25 AM, Rowland penny via samba wrote:
>>
>>> On 01/10/2020 21:46, Rowland penny via samba wrote:
>>>> On 01/10/2020 21:23, Jason Keltz via samba wrote:
>>>>>
>>>>>
>>>>> Okay - I guess the failure of kdc: lines in smb.conf is a
bug.
>>>>>
>>>>> Let's wait and see what happens with your ticket after
10 hours.
>>>>> Maybe there's a bug there as well.
>>>> It will be in the middle of the night here, so I will report
back
>>>> in the morning, but if it is a bug (not refreshing, that is),
then
>>>> it is an RHEL one, it works on Debian.
>>>
>>> OK, I still have a valid kerberos ticket, it just doesn't seem
to
>>> have been refreshed when I expected :-\
>>>
>>> Old ticket:
>>>
>>> Ticket cache: FILE:/tmp/krb5cc_10000
>>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>>
>>> Valid starting???? Expires??????????? Service principal
>>> 01/10/20 15:34:44? 02/10/20 01:34:44 
>>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>>> ??? renew until 08/10/20 15:34:44
>>> 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM
>>> ??? renew until 08/10/20 15:34:44
>>>
>>> New ticket:
>>>
>>> Ticket cache: FILE:/tmp/krb5cc_10000
>>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>>
>>> Valid starting???? Expires??????????? Service principal
>>> 02/10/20 06:41:20? 02/10/20 16:41:20 
>>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>>> ??? renew until 08/10/20 15:41:17 
>>
>> In your case, did you ssh to "centos8", or you just logged
into it
>> via a GUI?? When I login via the GUI, winbind renews the key. When I 
>> ssh, it does not.? On your destination system, the ticket cache is 
>> still /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>.
>>
>> In my case, even after I copied the /tmp/krb5cc_UID_<random bits>
>> back to /tmp/krb5cc_UID, winbind also did not renew the key. sigh.
>>
>> Jason.
>>
>>
> I logged in via 'ssh' and until I added pam_krb5, I didn't get
a
> ticket. I think your problem is the lack of pam_krb5
>
But I ssh to the system and the ticket already forwards.? The problem is 
just that winbind isn't automatically renewing the ticket.?? Do you have 
"forwardable=true" in /etc/krb5.conf, and did you use "ssh -K
<host>" or
do you have GSSAPIDelegateCredentials enabled?

Jason.

On 02/10/2020 13:20, Jason Keltz via samba wrote:
> On 10/2/2020 8:05 AM, Rowland penny via samba wrote:
>
>> On 02/10/2020 13:01, Jason Keltz via samba wrote:
>>> On 10/2/2020 5:25 AM, Rowland penny via samba wrote:
>>>
>>>> On 01/10/2020 21:46, Rowland penny via samba wrote:
>>>>> On 01/10/2020 21:23, Jason Keltz via samba wrote:
>>>>>>
>>>>>>
>>>>>> Okay - I guess the failure of kdc: lines in smb.conf is
a bug.
>>>>>>
>>>>>> Let's wait and see what happens with your ticket
after 10 hours.
>>>>>> Maybe there's a bug there as well.
>>>>> It will be in the middle of the night here, so I will
report back
>>>>> in the morning, but if it is a bug (not refreshing, that
is), then
>>>>> it is an RHEL one, it works on Debian.
>>>>
>>>> OK, I still have a valid kerberos ticket, it just doesn't
seem to
>>>> have been refreshed when I expected :-\
>>>>
>>>> Old ticket:
>>>>
>>>> Ticket cache: FILE:/tmp/krb5cc_10000
>>>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>>>
>>>> Valid starting???? Expires??????????? Service principal
>>>> 01/10/20 15:34:44? 02/10/20 01:34:44 
>>>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>>>> ??? renew until 08/10/20 15:34:44
>>>> 01/10/20 15:34:44? 02/10/20 01:34:44 CEN8$@SAMDOM.EXAMPLE.COM
>>>> ??? renew until 08/10/20 15:34:44
>>>>
>>>> New ticket:
>>>>
>>>> Ticket cache: FILE:/tmp/krb5cc_10000
>>>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>>>
>>>> Valid starting???? Expires??????????? Service principal
>>>> 02/10/20 06:41:20? 02/10/20 16:41:20 
>>>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>>>> ??? renew until 08/10/20 15:41:17 
>>>
>>> In your case, did you ssh to "centos8", or you just
logged into it
>>> via a GUI?? When I login via the GUI, winbind renews the key. When
I
>>> ssh, it does not.? On your destination system, the ticket cache is 
>>> still /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>.
>>>
>>> In my case, even after I copied the /tmp/krb5cc_UID_<random
bits>
>>> back to /tmp/krb5cc_UID, winbind also did not renew the key. sigh.
>>>
>>> Jason.
>>>
>>>
>> I logged in via 'ssh' and until I added pam_krb5, I didn't
get a
>> ticket. I think your problem is the lack of pam_krb5
>>
> But I ssh to the system and the ticket already forwards.? The problem 
> is just that winbind isn't automatically renewing the ticket.?? Do you 
> have "forwardable=true" in /etc/krb5.conf, and did you use
"ssh -K
> <host>" or do you have GSSAPIDelegateCredentials enabled?
>
> Jason.
>
No, no and no

I just use pam_krb5

Rowland