Maybe its.. authconfig --enablewinbindkrb5 --update Requirements to achieve this: - A valid /etc/krb5.conf - A valid system keytab /etc/krb5.keytab - A valid /etc/samba/smb.conf -> will be modified by authconfig ( found on internet worked in centos7 ) But better read.. https://sssd.io/docs/users/pam_krb5_migration.html Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: vrijdag 2 oktober 2020 14:06 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Kerberos ticket lifetime > > On 02/10/2020 13:01, Jason Keltz via samba wrote: > > On 10/2/2020 5:25 AM, Rowland penny via samba wrote: > > > >> On 01/10/2020 21:46, Rowland penny via samba wrote: > >>> On 01/10/2020 21:23, Jason Keltz via samba wrote: > >>>> > >>>> > >>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug. > >>>> > >>>> Let's wait and see what happens with your ticket after 10 hours. > >>>> Maybe there's a bug there as well. > >>> It will be in the middle of the night here, so I will > report back in > >>> the morning, but if it is a bug (not refreshing, that > is), then it > >>> is an RHEL one, it works on Debian. > >> > >> OK, I still have a valid kerberos ticket, it just doesn't seem to > >> have been refreshed when I expected :-\ > >> > >> Old ticket: > >> > >> Ticket cache: FILE:/tmp/krb5cc_10000 > >> Default principal: rowland at SAMDOM.EXAMPLE.COM > >> > >> Valid starting???? Expires??????????? Service principal > >> 01/10/20 15:34:44? 02/10/20 01:34:44 > >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM > >> ??? renew until 08/10/20 15:34:44 > >> 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM > >> ??? renew until 08/10/20 15:34:44 > >> > >> New ticket: > >> > >> Ticket cache: FILE:/tmp/krb5cc_10000 > >> Default principal: rowland at SAMDOM.EXAMPLE.COM > >> > >> Valid starting???? Expires??????????? Service principal > >> 02/10/20 06:41:20? 02/10/20 16:41:20 > >> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM > >> ??? renew until 08/10/20 15:41:17 > > > > In your case, did you ssh to "centos8", or you just logged > into it via > > a GUI?? When I login via the GUI, winbind renews the key. > When I ssh, > > it does not.? On your destination system, the ticket cache is still > > /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>. > > > > In my case, even after I copied the /tmp/krb5cc_UID_<random > bits> back > > to /tmp/krb5cc_UID, winbind also did not renew the key. sigh. > > > > Jason. > > > > > I logged in via 'ssh' and until I added pam_krb5, I didn't > get a ticket. > I think your problem is the lack of pam_krb5 > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi Louis, I had already done that at one point. My pam_winbind is already working.? I can SSH to the system, and I get a proper ticket.? My only issue is that it doesn't refresh the ticket before expiry when I ssh to a system.? I think I can script around that and just not rely on winbind to do it. Jason. On 10/2/2020 8:16 AM, L.P.H. van Belle via samba wrote:> Maybe its.. > > authconfig --enablewinbindkrb5 --update > > Requirements to achieve this: > > - A valid /etc/krb5.conf > - A valid system keytab /etc/krb5.keytab > - A valid /etc/samba/smb.conf -> will be modified by authconfig > > ( found on internet worked in centos7 ) > > But better read.. > https://sssd.io/docs/users/pam_krb5_migration.html > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland penny via samba >> Verzonden: vrijdag 2 oktober 2020 14:06 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Kerberos ticket lifetime >> >> On 02/10/2020 13:01, Jason Keltz via samba wrote: >>> On 10/2/2020 5:25 AM, Rowland penny via samba wrote: >>> >>>> On 01/10/2020 21:46, Rowland penny via samba wrote: >>>>> On 01/10/2020 21:23, Jason Keltz via samba wrote: >>>>>> >>>>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug. >>>>>> >>>>>> Let's wait and see what happens with your ticket after 10 hours. >>>>>> Maybe there's a bug there as well. >>>>> It will be in the middle of the night here, so I will >> report back in >>>>> the morning, but if it is a bug (not refreshing, that >> is), then it >>>>> is an RHEL one, it works on Debian. >>>> OK, I still have a valid kerberos ticket, it just doesn't seem to >>>> have been refreshed when I expected :-\ >>>> >>>> Old ticket: >>>> >>>> Ticket cache: FILE:/tmp/krb5cc_10000 >>>> Default principal: rowland at SAMDOM.EXAMPLE.COM >>>> >>>> Valid starting???? Expires??????????? Service principal >>>> 01/10/20 15:34:44? 02/10/20 01:34:44 >>>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >>>> ??? renew until 08/10/20 15:34:44 >>>> 01/10/20 15:34:44? 02/10/20 01:34:44? CEN8$@SAMDOM.EXAMPLE.COM >>>> ??? renew until 08/10/20 15:34:44 >>>> >>>> New ticket: >>>> >>>> Ticket cache: FILE:/tmp/krb5cc_10000 >>>> Default principal: rowland at SAMDOM.EXAMPLE.COM >>>> >>>> Valid starting???? Expires??????????? Service principal >>>> 02/10/20 06:41:20? 02/10/20 16:41:20 >>>> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM >>>> ??? renew until 08/10/20 15:41:17 >>> In your case, did you ssh to "centos8", or you just logged >> into it via >>> a GUI?? When I login via the GUI, winbind renews the key. >> When I ssh, >>> it does not.? On your destination system, the ticket cache is still >>> /tmp/krb5cc_UID, and not /tmp/krb5cc_UID_<random bits>. >>> >>> In my case, even after I copied the /tmp/krb5cc_UID_<random >> bits> back >>> to /tmp/krb5cc_UID, winbind also did not renew the key. sigh. >>> >>> Jason. >>> >>> >> I logged in via 'ssh' and until I added pam_krb5, I didn't >> get a ticket. >> I think your problem is the lack of pam_krb5 >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >-- Jason Keltz Manager of Development Department of Electrical Engineering & Computer Science York University, Toronto, Canada Tel: 416-736-2100 x. 33570 Fax: 416-736-5872
On 02/10/2020 13:16, L.P.H. van Belle via samba wrote:> Maybe its.. > > authconfig --enablewinbindkrb5 --update > > Requirements to achieve this: > > - A valid /etc/krb5.conf > - A valid system keytab /etc/krb5.keytab > - A valid /etc/samba/smb.conf -> will be modified by authconfigYou missed one: install pam_krb5> > ( found on internet worked in centos7 ) > > But better read.. > https://sssd.io/docs/users/pam_krb5_migration.htmlI read that, about as much use as a chocolate fireguard if you want to use winbind. pam_sss (or whatever it is called) is just a wrapper around sssd and you cannot usee sssd with winbind, Red-Hat tells you this! Rowland
On 02/10/2020 13:24, Jason Keltz via samba wrote:> Hi Louis, > > I had already done that at one point. > > My pam_winbind is already working.? I can SSH to the system, and I get > a proper ticket.? My only issue is that it doesn't refresh the ticket > before expiry when I ssh to a system.? I think I can script around > that and just not rely on winbind to do it.Why do you (seemingly) not want to install pam_krb5 ? you do not need a script with it. Rowland
On 02.10.20 14:27, Rowland penny via samba wrote:> I read that, about as much use as a chocolate fireguard if you want to > use winbind. pam_sss (or whatever it is called) is just a wrapper around > sssd and you cannot usee sssd with winbind, Red-Hat tells you this!Hi Rowland, this was true for Centos7 but for 8 it works fine without pam_krb5. If you have access you can see this here: https://access.redhat.com/solutions/4256011 Basically you just run: authselect select winbind --force I can report this works with winbind in samba 4.12.6.> > Rowland > > > >-- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen