samba - Mar 2022 - Ticket expires after 10h

On 01-03-2022 11:33, Rowland Penny via samba wrote:
> On Tue, 2022-03-01 at 01:19 +0100, Kees van Vloten via samba wrote:
>> Hi team,
>>
>> On my Linux desktop the krb5 ticket of my user expires after 10h.
>> klist
>> just returns nothing:
>>
>> $ klist
>> klist: No credentials cache found (filename: /tmp/krb5cc_10004)
>>
>> After kinit + password klist does show the expected output:
>>
>> $ klist
>> Ticket cache: FILE:/tmp/krb5cc_10004
>> Default principal: test1 at EXAMPLE.COM
>>
>> Valid starting Expires Service principal
>> 03/01/22 00:55:34 03/01/22 10:55:28 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>
>> On the desktop I run Bullseye with stock Samba (4.13.13) and winbind
>> for
>> nss and pam, the DCs are running on 4.15.5 from Louis' repo.
>>
>> /etc/samba/smb.conf:
>>
>> [global]
>> interfaces = lo
>> bind interfaces only = yes
>> netbios name = DESKTOP1
>> security = ADS
>> realm = EXAMPLE.COM
>> workgroup = EXAMPLE
>> idmap config example:backend = ad
>> idmap config example:schema_mode = rfc2307
>> idmap config example:unix_primary_group = yes
>> idmap config example:unix_nss_info = yes
>> idmap config example:range = 1001-100000
>> idmap config *:backend = tdb
>> idmap config *:range = 1000000-1999999
>> winbind nss info = rfc2307
>> winbind cache time = 300
>> winbind enum groups = no
>> winbind enum users = no
>> winbind expand groups = 10
>> winbind normalize names = no
>> winbind offline logon = yes
>> lock directory = /var/cache/samba
>> winbind refresh tickets = yes
>> winbind scan trusted domains = no
>> winbind use default domain = yes
>> kerberos method = secrets and keytab
>> kerberos encryption types = strong
>> rpc server dynamic port range = 50000-55000
>> ntlm auth = mschapv2-and-ntlmv2-only
>> disable netbios = yes
>> template homedir = /home/%U
>> template shell = /bin/bash
>> tls enabled = yes
>> tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-
>> TLS1.3
>> tls cafile = /etc/ssl/certs/ca.pem
>> min domain uid = 1001
> I think I understand what is going wrong here, winbind is renewing my
> tickets (on 4.15.5), but I also have these two lines:
>
> username map = /etc/samba/user.map
> min domain uid = 0
>
> The user.map contains:
>
> !root = SAMDOM\Administrator
>
> I think that you have turned off root's ability to change the ticket.
>
> Rowland
>
>
>
I have added that setting after some reading the release notes of 4.15.3 
(CVE-2020-25717). Does it mean the advice in the CVE has this averse effect?
Does this doc needs an updte to prevent other users running into the 
same issue?


I left my desktop powered-on last night. I can confirm everything still 
works, i.e. @Rowland your suggestion fixed it :-)

There is an interesting difference between the klist before the renew 
and after though:

klist before ticket renew:
$ klist
Ticket cache: FILE:/tmp/krb5cc_10004
Default principal: test1 at EXAMPLE.COM

Valid starting???? Expires??????????? Service principal
03/01/22 22:04:43? 03/02/22 08:04:43 krbtgt/EXAMPLE.COM at EXAMPLE.COM
 ??????? renew until 03/08/22 22:04:43
03/01/22 22:04:43? 03/02/22 08:04:43? BACH$@EXAMPLE.COM
03/01/22 22:50:34? 03/02/22 08:04:43 host/vivaldi.EXAMPLE.COM at EXAMPLE.COM
 ??????? renew until 03/08/22 22:04:43
03/01/22 23:47:12? 03/02/22 08:04:43 imap/strauss.EXAMPLE.COM at EXAMPLE.COM
 ??????? renew until 03/08/22 22:04:43

And after the winbind initiated renew:
$ klist
Ticket cache: FILE:/tmp/krb5cc_10004
Default principal: test1 at EXAMPLE.COM

Valid starting???? Expires??????????? Service principal
03/02/22 12:09:52? 03/02/22 22:09:52 krbtgt/EXAMPLE.COM at EXAMPLE.COM
 ??????? renew until 03/08/22 22:04:43

All principals except one are gone and no principals are added on use 
(such as the imap one when I access Thunderbird), but I can still read 
mail and do everything.

Is everything working as expected or am I still missing some config?
Is there an explanation for the difference in klist output?

- Kees

On Wed, 2022-03-02 at 14:50 +0100, Kees van Vloten via samba
wrote:
> On 01-03-2022 11:33, Rowland Penny via samba wrote:
> > On Tue, 2022-03-01 at 01:19 +0100, Kees van Vloten via samba wrote:
> > > Hi team,
> > > 
> > > On my Linux desktop the krb5 ticket of my user expires after 10h.
> > > klist
> > > just returns nothing:
> > > 
> > > $ klist
> > > klist: No credentials cache found (filename: /tmp/krb5cc_10004)
> > > 
> > > After kinit + password klist does show the expected output:
> > > 
> > > $ klist
> > > Ticket cache: FILE:/tmp/krb5cc_10004
> > > Default principal: test1 at EXAMPLE.COM
> > > 
> > > Valid starting Expires Service principal
> > > 03/01/22 00:55:34 03/01/22 10:55:28 
> > > krbtgt/EXAMPLE.COM at EXAMPLE.COM
> > > 
> > > On the desktop I run Bullseye with stock Samba (4.13.13) and
> > > winbind
> > > for
> > > nss and pam, the DCs are running on 4.15.5 from Louis' repo.
> > > 
> > > /etc/samba/smb.conf:
> > > 
> > > [global]
> > > interfaces = lo
> > > bind interfaces only = yes
> > > netbios name = DESKTOP1
> > > security = ADS
> > > realm = EXAMPLE.COM
> > > workgroup = EXAMPLE
> > > idmap config example:backend = ad
> > > idmap config example:schema_mode = rfc2307
> > > idmap config example:unix_primary_group = yes
> > > idmap config example:unix_nss_info = yes
> > > idmap config example:range = 1001-100000
> > > idmap config *:backend = tdb
> > > idmap config *:range = 1000000-1999999
> > > winbind nss info = rfc2307
> > > winbind cache time = 300
> > > winbind enum groups = no
> > > winbind enum users = no
> > > winbind expand groups = 10
> > > winbind normalize names = no
> > > winbind offline logon = yes
> > > lock directory = /var/cache/samba
> > > winbind refresh tickets = yes
> > > winbind scan trusted domains = no
> > > winbind use default domain = yes
> > > kerberos method = secrets and keytab
> > > kerberos encryption types = strong
> > > rpc server dynamic port range = 50000-55000
> > > ntlm auth = mschapv2-and-ntlmv2-only
> > > disable netbios = yes
> > > template homedir = /home/%U
> > > template shell = /bin/bash
> > > tls enabled = yes
> > > tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-
> > > TLS1.3
> > > tls cafile = /etc/ssl/certs/ca.pem
> > > min domain uid = 1001
> > I think I understand what is going wrong here, winbind is renewing
> > my
> > tickets (on 4.15.5), but I also have these two lines:
> > 
> > username map = /etc/samba/user.map
> > min domain uid = 0
> > 
> > The user.map contains:
> > 
> > !root = SAMDOM\Administrator
> > 
> > I think that you have turned off root's ability to change the
> > ticket.
> > 
> > Rowland
> > 
> > 
> > 
> I have added that setting after some reading the release notes of
> 4.15.3 
> (CVE-2020-25717). Does it mean the advice in the CVE has this averse
> effect?
> Does this doc needs an updte to prevent other users running into the 
> same issue?
> 
> 
> I left my desktop powered-on last night. I can confirm everything
> still 
> works, i.e. @Rowland your suggestion fixed it :-)
> 
> There is an interesting difference between the klist before the
> renew 
> and after though:
> 
> klist before ticket renew:
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_10004
> Default principal: test1 at EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 03/01/22 22:04:43  03/02/22 08:04:43 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>          renew until 03/08/22 22:04:43
> 03/01/22 22:04:43  03/02/22 08:04:43  BACH$@EXAMPLE.COM
> 03/01/22 22:50:34  03/02/22 08:04:43 
> host/vivaldi.EXAMPLE.COM at EXAMPLE.COM
>          renew until 03/08/22 22:04:43
> 03/01/22 23:47:12  03/02/22 08:04:43 
> imap/strauss.EXAMPLE.COM at EXAMPLE.COM
>          renew until 03/08/22 22:04:43
> 
> And after the winbind initiated renew:
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_10004
> Default principal: test1 at EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 03/02/22 12:09:52  03/02/22 22:09:52 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>          renew until 03/08/22 22:04:43
> 
> All principals except one are gone and no principals are added on
> use 
> (such as the imap one when I access Thunderbird), but I can still
> read 
> mail and do everything.
> 
> Is everything working as expected or am I still missing some config?
> Is there an explanation for the difference in klist output?
> 
> - Kees
I wouldn't worry about it, you will probably find that the principals
get added as you use them.

Rowland