samba - Feb 2023 - Kerberos settings

On 27/02/2023 15:20, Vaughan, Robert J via samba wrote:
> Hello listers
> 
> In our environment there have been some changes in AD to what I think might
be default Kerberos settings for tickets
> 
> ticket_lifetime has been shortened from 24 hrs (default?) to 10 hrs
> 
> renew_lifetime has been set at 7d from a default of no limit?
Can you describe your environment a little better ? I ask because, as 
far as I am aware, your changes have always been the defaults.
> 
> If this makes sense, just wondering if Samba needs to be aware of this
(smb.conf: include system krb5 conf = yes)?, which is the default but I had been
using "no" for this .. and then adjust those lines in /etc/krb5.conf?
I do not understand why you have been doing that, it is only supposed to 
affect Samba DC's built with MIT
> 
> We see a situation where users appear to lose their drive mapping after
some period of time where it was working fine, and it made me wonder if it could
be related to Kerberos ticket expiration
Do you have 'winbind refresh tickets = yes' set in smb.conf ?

Rowland

On 27/02/2023 15:20, Vaughan, Robert J via samba wrote:
> Hello listers
> 
> In our environment there have been some changes in AD to what I think might
be default Kerberos settings for tickets
> 
> ticket_lifetime has been shortened from 24 hrs (default?) to 10 hrs
> 
> renew_lifetime has been set at 7d from a default of no limit?
>> Can you describe your environment a little better ? I ask because, as 
>> far as I am aware, your changes have always been the defaults.
Hi Rowland, sorry I apparently was wrong on those numbers being changed (after
talking again with my Wintel/AD admin), and you are correct they are the
defaults
I wonder why in my default /etc/krb5.conf (Red Hat 7 domain member file server)
those settings are 24h and 7d and is that a problem?

> 
> If this makes sense, just wondering if Samba needs to be aware of this
(smb.conf: include system krb5 conf = yes)?, which is the default but I had been
using "no" for this .. and then adjust those lines in /etc/krb5.conf?
>> I do not understand why you have been doing that, it is only supposed
to
>> affect Samba DC's built with MIT
You are saying I should be using the default "yes" correct?
 
If so, should the /etc/krb5.conf be updated to the 10h?

I think I chose "no" a long time ago because Samba was the only thing
using Kerberos at the time, although now I am using ssh logins against AD via
winbind too

Do smbd and winbind both need a restart for that change?

 
> We see a situation where users appear to lose their drive mapping after
some period of time where it was working fine, and it made me wonder if it could
be related to Kerberos ticket expiration
>> Do you have 'winbind refresh tickets = yes' set in smb.conf ?
I do 




----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended
recipient only and may contain confidential and privileged information.  No one
else may read, print, store, copy, forward or act in reliance on it or its
attachments.  If you are not the intended recipient, please return this message
to the sender and delete the message and any attachments from your computer.
Your cooperation is appreciated.