Hi team, On my Linux desktop the krb5 ticket of my user expires after 10h. klist just returns nothing: $ klist klist: No credentials cache found (filename: /tmp/krb5cc_10004) After kinit + password klist does show the expected output: $ klist Ticket cache: FILE:/tmp/krb5cc_10004 Default principal: test1 at EXAMPLE.COM Valid starting???? Expires??????????? Service principal 03/01/22 00:55:34? 03/01/22 10:55:28 krbtgt/EXAMPLE.COM at EXAMPLE.COM On the desktop I run Bullseye with stock Samba (4.13.13) and winbind for nss and pam, the DCs are running on 4.15.5 from Louis' repo. /etc/samba/smb.conf: [global] ??????? interfaces = lo ??????? bind interfaces only = yes ??????? netbios name = DESKTOP1 ??????? security = ADS ??????? realm = EXAMPLE.COM ??????? workgroup = EXAMPLE ??????? idmap config example:backend = ad ??????? idmap config example:schema_mode = rfc2307 ??????? idmap config example:unix_primary_group = yes ??????? idmap config example:unix_nss_info = yes ??????? idmap config example:range = 1001-100000 ??????? idmap config *:backend = tdb ??????? idmap config *:range = 1000000-1999999 ??????? winbind nss info = rfc2307 ??????? winbind cache time = 300 ??????? winbind enum groups = no ??????? winbind enum users = no ??????? winbind expand groups = 10 ??????? winbind normalize names = no ??????? winbind offline logon = yes ??????? lock directory = /var/cache/samba ??????? winbind refresh tickets = yes ??????? winbind scan trusted domains = no ??????? winbind use default domain = yes ??????? kerberos method = secrets and keytab ??????? kerberos encryption types = strong ??????? rpc server dynamic port range = 50000-55000 ??????? ntlm auth = mschapv2-and-ntlmv2-only ??????? disable netbios = yes ??????? template homedir = /home/%U ??????? template shell = /bin/bash ??????? tls enabled = yes ??????? tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 ??????? tls cafile = /etc/ssl/certs/ca.pem ??????? min domain uid = 1001 ??????? dedicated keytab file = /etc/krb5.keytab /etc/security/pam_winbind.conf [global] warn_pwd_expire = 30 cached_login = yes krb5_auth = yes require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118 I was under the impression that winbind would renew the ticket with the above settings. Why is my ticket not renewed automatically? - Kees
Hi, this sounds like a bug (https://bugzilla.suse.com/show_bug.cgi?id=1196224), we are facing, too. There is a bug fix in the samba master already (https://gitlab.com/samba-team/samba/-/merge_requests/2405). But as far, as I got it, this bug is only relevant for samba 4.15, due to the change of the default setting to "winbind use krb5 enterprise principals = yes". Since you are using 4.13, this shouldn't affect you. Regards, Andreas Am 01.03.22 um 01:19 schrieb Kees van Vloten via samba:> Hi team, > > On my Linux desktop the krb5 ticket of my user expires after 10h. > klist just returns nothing: > > $ klist > klist: No credentials cache found (filename: /tmp/krb5cc_10004) > > After kinit + password klist does show the expected output: > > $ klist > Ticket cache: FILE:/tmp/krb5cc_10004 > Default principal: test1 at EXAMPLE.COM > > Valid starting???? Expires??????????? Service principal > 03/01/22 00:55:34? 03/01/22 10:55:28 krbtgt/EXAMPLE.COM at EXAMPLE.COM > > On the desktop I run Bullseye with stock Samba (4.13.13) and winbind > for nss and pam, the DCs are running on 4.15.5 from Louis' repo. > > /etc/samba/smb.conf: > > [global] > ??????? interfaces = lo > ??????? bind interfaces only = yes > ??????? netbios name = DESKTOP1 > ??????? security = ADS > ??????? realm = EXAMPLE.COM > ??????? workgroup = EXAMPLE > ??????? idmap config example:backend = ad > ??????? idmap config example:schema_mode = rfc2307 > ??????? idmap config example:unix_primary_group = yes > ??????? idmap config example:unix_nss_info = yes > ??????? idmap config example:range = 1001-100000 > ??????? idmap config *:backend = tdb > ??????? idmap config *:range = 1000000-1999999 > ??????? winbind nss info = rfc2307 > ??????? winbind cache time = 300 > ??????? winbind enum groups = no > ??????? winbind enum users = no > ??????? winbind expand groups = 10 > ??????? winbind normalize names = no > ??????? winbind offline logon = yes > ??????? lock directory = /var/cache/samba > ??????? winbind refresh tickets = yes > ??????? winbind scan trusted domains = no > ??????? winbind use default domain = yes > ??????? kerberos method = secrets and keytab > ??????? kerberos encryption types = strong > ??????? rpc server dynamic port range = 50000-55000 > ??????? ntlm auth = mschapv2-and-ntlmv2-only > ??????? disable netbios = yes > ??????? template homedir = /home/%U > ??????? template shell = /bin/bash > ??????? tls enabled = yes > ??????? tls priority = > NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3 > ??????? tls cafile = /etc/ssl/certs/ca.pem > ??????? min domain uid = 1001 > ??????? dedicated keytab file = /etc/krb5.keytab > > /etc/security/pam_winbind.conf > > [global] > warn_pwd_expire = 30 > cached_login = yes > krb5_auth = yes > require_membership_of = S-1-5-21-4190054395-3630394414-2036191173-1118 > > I was under the impression that winbind would renew the ticket with > the above settings. > > Why is my ticket not renewed automatically? > > - Kees
On Tue, 2022-03-01 at 01:19 +0100, Kees van Vloten via samba wrote:> Hi team, > > On my Linux desktop the krb5 ticket of my user expires after 10h. > klist > just returns nothing: > > $ klist > klist: No credentials cache found (filename: /tmp/krb5cc_10004) > > After kinit + password klist does show the expected output: > > $ klist > Ticket cache: FILE:/tmp/krb5cc_10004 > Default principal: test1 at EXAMPLE.COM > > Valid starting Expires Service principal > 03/01/22 00:55:34 03/01/22 10:55:28 krbtgt/EXAMPLE.COM at EXAMPLE.COM > > On the desktop I run Bullseye with stock Samba (4.13.13) and winbind > for > nss and pam, the DCs are running on 4.15.5 from Louis' repo. > > /etc/samba/smb.conf: > > [global] > interfaces = lo > bind interfaces only = yes > netbios name = DESKTOP1 > security = ADS > realm = EXAMPLE.COM > workgroup = EXAMPLE > idmap config example:backend = ad > idmap config example:schema_mode = rfc2307 > idmap config example:unix_primary_group = yes > idmap config example:unix_nss_info = yes > idmap config example:range = 1001-100000 > idmap config *:backend = tdb > idmap config *:range = 1000000-1999999 > winbind nss info = rfc2307 > winbind cache time = 300 > winbind enum groups = no > winbind enum users = no > winbind expand groups = 10 > winbind normalize names = no > winbind offline logon = yes > lock directory = /var/cache/samba > winbind refresh tickets = yes > winbind scan trusted domains = no > winbind use default domain = yes > kerberos method = secrets and keytab > kerberos encryption types = strong > rpc server dynamic port range = 50000-55000 > ntlm auth = mschapv2-and-ntlmv2-only > disable netbios = yes > template homedir = /home/%U > template shell = /bin/bash > tls enabled = yes > tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS- > TLS1.3 > tls cafile = /etc/ssl/certs/ca.pem > min domain uid = 1001I think I understand what is going wrong here, winbind is renewing my tickets (on 4.15.5), but I also have these two lines: username map = /etc/samba/user.map min domain uid = 0 The user.map contains: !root = SAMDOM\Administrator I think that you have turned off root's ability to change the ticket. Rowland