On 02/10/2020 13:24, Jason Keltz via samba wrote:> Hi Louis, > > I had already done that at one point. > > My pam_winbind is already working.? I can SSH to the system, and I get > a proper ticket.? My only issue is that it doesn't refresh the ticket > before expiry when I ssh to a system.? I think I can script around > that and just not rely on winbind to do it.Why do you (seemingly) not want to install pam_krb5 ? you do not need a script with it. Rowland
On 10/2/2020 8:30 AM, Rowland penny via samba wrote:> On 02/10/2020 13:24, Jason Keltz via samba wrote: >> Hi Louis, >> >> I had already done that at one point. >> >> My pam_winbind is already working.? I can SSH to the system, and I >> get a proper ticket.? My only issue is that it doesn't refresh the >> ticket before expiry when I ssh to a system.? I think I can script >> around that and just not rely on winbind to do it. > > Why do you (seemingly) not want to install pam_krb5 ? you do not need > a script with it.SSH is already capable of forwarding Kerberos tickets.? It does exactly that on my system. ? I SSH from one system in the domain where I have a Kerberos ticket to another system where I do not, and I am not asked for a password.? If I kdestroy my ticket on the original system, and try to SSH to the other system, the SSH asks for a password, then I get a new ticket.? Everything works exactly the way it should (at least in my mind). ? My problem isn't that the ticket doesn't arrive or that I can't login.? My problem is that winbind doesn't refresh the ticket when it's near expiry. It's not clear to me why installing pam_krb5 resolves that. pam_krb5 is doing what my system is already doing (albeit for you, winbind is refreshing as well). I would just like to understand the technical details, which I obviously do not. Jason.
On 02/10/2020 13:43, Jason Keltz via samba wrote:> On 10/2/2020 8:30 AM, Rowland penny via samba wrote: > >> On 02/10/2020 13:24, Jason Keltz via samba wrote: >>> Hi Louis, >>> >>> I had already done that at one point. >>> >>> My pam_winbind is already working.? I can SSH to the system, and I >>> get a proper ticket.? My only issue is that it doesn't refresh the >>> ticket before expiry when I ssh to a system.? I think I can script >>> around that and just not rely on winbind to do it. >> >> Why do you (seemingly) not want to install pam_krb5 ? you do not need >> a script with it. > > SSH is already capable of forwarding Kerberos tickets.? It does > exactly that on my system. ? I SSH from one system in the domain where > I have a Kerberos ticket to another system where I do not, and I am > not asked for a password.? If I kdestroy my ticket on the original > system, and try to SSH to the other system, the SSH asks for a > password, then I get a new ticket.? Everything works exactly the way > it should (at least in my mind). ? My problem isn't that the ticket > doesn't arrive or that I can't login.? My problem is that winbind > doesn't refresh the ticket when it's near expiry. It's not clear to me > why installing pam_krb5 resolves that. pam_krb5 is doing what my > system is already doing (albeit for you, winbind is refreshing as > well). I would just like to understand the technical details, which I > obviously do not. > > Jason. > >OK, I can understand that, but I can make observations from my use of ssh. If I do it your way, I get asked for a password the first time I log in via ssh, subsequent logins do not require the password, but I do not get a ticket in /tmp After I installed pam_krb5, I stlll didn't get a ticket until I stopped sshd using GASAPI, then I got the ticket (I presume PAM passed the password down the stack). It may be possible to do both, use GASAPI and get winbind to refresh the tickets, but I do not know how to. Rowland
Ah, and it that server allowed to "forward/exchange" that ticket? Try this on both servers and test again. GSSAPIAuthentication yes GSSAPICleanupCredentials no GSSAPIStrictAcceptorCheck no GSSAPIKeyExchange yes Which you need exaclty, i dont now, but i think you need to look in this area.. Think in this : Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable Which are allowed for the server(s)? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Jason Keltz via samba > Verzonden: vrijdag 2 oktober 2020 14:43 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Kerberos ticket lifetime > > On 10/2/2020 8:30 AM, Rowland penny via samba wrote: > > > On 02/10/2020 13:24, Jason Keltz via samba wrote: > >> Hi Louis, > >> > >> I had already done that at one point. > >> > >> My pam_winbind is already working.? I can SSH to the system, and I > >> get a proper ticket.? My only issue is that it doesn't refresh the > >> ticket before expiry when I ssh to a system.? I think I can script > >> around that and just not rely on winbind to do it. > > > > Why do you (seemingly) not want to install pam_krb5 ? you > do not need > > a script with it. > > SSH is already capable of forwarding Kerberos tickets.? It > does exactly > that on my system. ? I SSH from one system in the domain > where I have a > Kerberos ticket to another system where I do not, and I am > not asked for > a password.? If I kdestroy my ticket on the original system, > and try to > SSH to the other system, the SSH asks for a password, then I > get a new > ticket.? Everything works exactly the way it should (at least in my > mind). ? My problem isn't that the ticket doesn't arrive or > that I can't > login.? My problem is that winbind doesn't refresh the ticket > when it's > near expiry. It's not clear to me why installing pam_krb5 > resolves that. > pam_krb5 is doing what my system is already doing (albeit for you, > winbind is refreshing as well). I would just like to understand the > technical details, which I obviously do not. > > Jason. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi Louis, I have those options already.. I'll have to look into the debug options for winbind to see what it's up to when it comes to the renewal. Rowland: I'll have to experiment some more and see... Jason. On 10/2/2020 9:07 AM, L.P.H. van Belle via samba wrote:> Ah, and it that server allowed to "forward/exchange" that ticket? > > Try this on both servers and test again. > > GSSAPIAuthentication yes > GSSAPICleanupCredentials no > GSSAPIStrictAcceptorCheck no > GSSAPIKeyExchange yes > > Which you need exaclty, i dont now, but i think you need to look in this area.. > > Think in this : > Kerberos: Requested flags: renewable-ok, canonicalize, renewable, forwardable > Which are allowed for the server(s)? > > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Jason Keltz via samba >> Verzonden: vrijdag 2 oktober 2020 14:43 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Kerberos ticket lifetime >> >> On 10/2/2020 8:30 AM, Rowland penny via samba wrote: >> >>> On 02/10/2020 13:24, Jason Keltz via samba wrote: >>>> Hi Louis, >>>> >>>> I had already done that at one point. >>>> >>>> My pam_winbind is already working.? I can SSH to the system, and I >>>> get a proper ticket.? My only issue is that it doesn't refresh the >>>> ticket before expiry when I ssh to a system.? I think I can script >>>> around that and just not rely on winbind to do it. >>> Why do you (seemingly) not want to install pam_krb5 ? you >> do not need >>> a script with it. >> SSH is already capable of forwarding Kerberos tickets.? It >> does exactly >> that on my system. ? I SSH from one system in the domain >> where I have a >> Kerberos ticket to another system where I do not, and I am >> not asked for >> a password.? If I kdestroy my ticket on the original system, >> and try to >> SSH to the other system, the SSH asks for a password, then I >> get a new >> ticket.? Everything works exactly the way it should (at least in my >> mind). ? My problem isn't that the ticket doesn't arrive or >> that I can't >> login.? My problem is that winbind doesn't refresh the ticket >> when it's >> near expiry. It's not clear to me why installing pam_krb5 >> resolves that. >> pam_krb5 is doing what my system is already doing (albeit for you, >> winbind is refreshing as well). I would just like to understand the >> technical details, which I obviously do not. >> >> Jason. >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >
On 02/10/2020 14:07, L.P.H. van Belle via samba wrote:> Ah, and it that server allowed to "forward/exchange" that ticket? > > Try this on both servers and test again. > > GSSAPIAuthentication yes > GSSAPICleanupCredentials no > GSSAPIStrictAcceptorCheck no > GSSAPIKeyExchange yes > > Which you need exaclty, i dont now, but i think you need to look in this area..Tried those, can login without password, but no kerberos ticket. Rowland