samba - Mar 2022 - Ticket expires after 10h

On Tue, 2022-03-01 at 01:19 +0100, Kees van Vloten via samba
wrote:
> Hi team,
> 
> On my Linux desktop the krb5 ticket of my user expires after 10h.
> klist 
> just returns nothing:
> 
> $ klist
> klist: No credentials cache found (filename: /tmp/krb5cc_10004)
> 
> After kinit + password klist does show the expected output:
> 
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_10004
> Default principal: test1 at EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 03/01/22 00:55:34  03/01/22 10:55:28 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> 
> On the desktop I run Bullseye with stock Samba (4.13.13) and winbind
> for 
> nss and pam, the DCs are running on 4.15.5 from Louis' repo.
> 
> /etc/samba/smb.conf:
> 
> [global]
>          interfaces = lo
>          bind interfaces only = yes
>          netbios name = DESKTOP1
>          security = ADS
>          realm = EXAMPLE.COM
>          workgroup = EXAMPLE
>          idmap config example:backend = ad
>          idmap config example:schema_mode = rfc2307
>          idmap config example:unix_primary_group = yes
>          idmap config example:unix_nss_info = yes
>          idmap config example:range = 1001-100000
>          idmap config *:backend = tdb
>          idmap config *:range = 1000000-1999999
>          winbind nss info = rfc2307
>          winbind cache time = 300
>          winbind enum groups = no
>          winbind enum users = no
>          winbind expand groups = 10
>          winbind normalize names = no
>          winbind offline logon = yes
>          lock directory = /var/cache/samba
>          winbind refresh tickets = yes
>          winbind scan trusted domains = no
>          winbind use default domain = yes
>          kerberos method = secrets and keytab
>          kerberos encryption types = strong
>          rpc server dynamic port range = 50000-55000
>          ntlm auth = mschapv2-and-ntlmv2-only
>          disable netbios = yes
>          template homedir = /home/%U
>          template shell = /bin/bash
>          tls enabled = yes
>          tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-
> TLS1.3
>          tls cafile = /etc/ssl/certs/ca.pem
>          min domain uid = 1001
I think I understand what is going wrong here, winbind is renewing my
tickets (on 4.15.5), but I also have these two lines:

  username map = /etc/samba/user.map
  min domain uid = 0

The user.map contains:

!root = SAMDOM\Administrator

I think that you have turned off root's ability to change the ticket.

Rowland

On 01-03-2022 11:33, Rowland Penny via samba wrote:
> On Tue, 2022-03-01 at 01:19 +0100, Kees van Vloten via samba wrote:
>> Hi team,
>>
>> On my Linux desktop the krb5 ticket of my user expires after 10h.
>> klist
>> just returns nothing:
>>
>> $ klist
>> klist: No credentials cache found (filename: /tmp/krb5cc_10004)
>>
>> After kinit + password klist does show the expected output:
>>
>> $ klist
>> Ticket cache: FILE:/tmp/krb5cc_10004
>> Default principal: test1 at EXAMPLE.COM
>>
>> Valid starting     Expires            Service principal
>> 03/01/22 00:55:34  03/01/22 10:55:28 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>
>> On the desktop I run Bullseye with stock Samba (4.13.13) and winbind
>> for
>> nss and pam, the DCs are running on 4.15.5 from Louis' repo.
>>
>> /etc/samba/smb.conf:
>>
>> [global]
>>           interfaces = lo
>>           bind interfaces only = yes
>>           netbios name = DESKTOP1
>>           security = ADS
>>           realm = EXAMPLE.COM
>>           workgroup = EXAMPLE
>>           idmap config example:backend = ad
>>           idmap config example:schema_mode = rfc2307
>>           idmap config example:unix_primary_group = yes
>>           idmap config example:unix_nss_info = yes
>>           idmap config example:range = 1001-100000
>>           idmap config *:backend = tdb
>>           idmap config *:range = 1000000-1999999
>>           winbind nss info = rfc2307
>>           winbind cache time = 300
>>           winbind enum groups = no
>>           winbind enum users = no
>>           winbind expand groups = 10
>>           winbind normalize names = no
>>           winbind offline logon = yes
>>           lock directory = /var/cache/samba
>>           winbind refresh tickets = yes
>>           winbind scan trusted domains = no
>>           winbind use default domain = yes
>>           kerberos method = secrets and keytab
>>           kerberos encryption types = strong
>>           rpc server dynamic port range = 50000-55000
>>           ntlm auth = mschapv2-and-ntlmv2-only
>>           disable netbios = yes
>>           template homedir = /home/%U
>>           template shell = /bin/bash
>>           tls enabled = yes
>>           tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-
>> TLS1.3
>>           tls cafile = /etc/ssl/certs/ca.pem
>>           min domain uid = 1001
> I think I understand what is going wrong here, winbind is renewing my
> tickets (on 4.15.5), but I also have these two lines:
>
>    username map = /etc/samba/user.map
>    min domain uid = 0
>
> The user.map contains:
>
> !root = SAMDOM\Administrator
>
> I think that you have turned off root's ability to change the ticket.
>
> Rowland
>
>
>
Thank you! That sounds like a plausible cause.

I will change my config right away and then wait for the ticket expiry 
(or not).


Is this a broader issue then desktop systems only? Do I have to get rid 
of "min domain uid = 1001" everywhere (DCs and member-servers) ?

I have added that setting after some reading the release notes of 4.15.3 
(CVE-2020-25717). Does it mean the advice in the CVE has this averse effect?

- Kees