similar to: Kerberos Ticket Issue

On 9/30/2020 7:23 PM, Jason Keltz wrote: > On 9/30/2020 4:11 PM, Remy Zandwijk via samba wrote: > >>> On 30 Sep 2020, at 21:42, Jason Keltz via samba >>> <samba at lists.samba.org> wrote: >>> >>> >>> On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote: >>>>>>> On the client, add: >>>>>>>

On 10/2/2020 8:05 AM, Rowland penny via samba wrote: > On 02/10/2020 13:01, Jason Keltz via samba wrote: >> On 10/2/2020 5:25 AM, Rowland penny via samba wrote: >> >>> On 01/10/2020 21:46, Rowland penny via samba wrote: >>>> On 01/10/2020 21:23, Jason Keltz via samba wrote: >>>>> >>>>> >>>>> Okay - I guess the

On 10/1/2020 8:41 AM, Rowland penny via samba wrote: > On 01/10/2020 13:38, Jason Keltz via samba wrote: >> On 10/1/2020 8:34 AM, Rowland penny via samba wrote: >> >>> On 01/10/2020 13:30, Jason Keltz via samba wrote: >>>> On 10/1/2020 8:28 AM, Rowland penny via samba wrote: >>>> >>>>> On 01/10/2020 13:17, Jason Keltz via samba wrote:

On 01/10/2020 21:23, Jason Keltz via samba wrote: > > On 10/1/2020 4:10 PM, Rowland penny via samba wrote: >> On 01/10/2020 20:47, Jason Keltz via samba wrote: >>> >>> Hi Rowland, >>> >>> In my case, I think I may know why pam_winbind is not renewing the >>> ticket before it expires. >>> >> I don't think it matters about

On 10/1/2020 4:10 PM, Rowland penny via samba wrote: > On 01/10/2020 20:47, Jason Keltz via samba wrote: >> >> Hi Rowland, >> >> In my case, I think I may know why pam_winbind is not renewing the >> ticket before it expires. >> > I don't think it matters about the extra characters in the ticket > name, I think the ticket search looks for a ticket

On 02/10/2020 13:01, Jason Keltz via samba wrote: > On 10/2/2020 5:25 AM, Rowland penny via samba wrote: > >> On 01/10/2020 21:46, Rowland penny via samba wrote: >>> On 01/10/2020 21:23, Jason Keltz via samba wrote: >>>> >>>> >>>> Okay - I guess the failure of kdc: lines in smb.conf is a bug. >>>> >>>> Let's wait

On 03/07/2020 12:35, Stefan Just via samba wrote: > A kinit needs the user's password if the Kerberos ticket maximum > renewable lifetime has been exceeded. This is simply not possible > because users cannot be online for weeks. Where did you get the idea that you need the password from ? If a user logs in and PAM is set up correctly on a Unix domain member, the user should get a

Hello, Am Samstag, den 11.08.2018, 16:30 +0200 schrieb Noël Köthe via samba: > > > I did a "net ads leave" and join but then 10 hours later the problem > > > is there again. > > > > This is undoubtedly a Kerberos problem, but apart for the slight > > problems I mentioned above, there doesn't seem to be much wrong. > > If it is a Samba

On 10/2/2020 5:25 AM, Rowland penny via samba wrote: > On 01/10/2020 21:46, Rowland penny via samba wrote: >> On 01/10/2020 21:23, Jason Keltz via samba wrote: >>> >>> >>> Okay - I guess the failure of kdc: lines in smb.conf is a bug. >>> >>> Let's wait and see what happens with your ticket after 10 hours. >>> Maybe there's a

Hi Louis, I had already done that at one point. My pam_winbind is already working.? I can SSH to the system, and I get a proper ticket.? My only issue is that it doesn't refresh the ticket before expiry when I ssh to a system.? I think I can script around that and just not rely on winbind to do it. Jason. On 10/2/2020 8:16 AM, L.P.H. van Belle via samba wrote: > Maybe its.. > >

On 10/1/2020 8:34 AM, Rowland penny via samba wrote: > On 01/10/2020 13:30, Jason Keltz via samba wrote: >> On 10/1/2020 8:28 AM, Rowland penny via samba wrote: >> >>> On 01/10/2020 13:17, Jason Keltz via samba wrote: >>>> So why is it that winbind renews the ticket on the original system, >>>> but on the system that I ssh to, it does not.

We are using tmux, screen and x2go to run long-running jobs on our compute servers. $HOME and other data should be mounted via CIFS or NFS4. Because such a job can run for more than a week, I would like to increase the Kerberos ticket lifetime or better the Kerberos ticket maximum renewable lifetime. I found this guide: https://wiki.samba.org/index.php/Samba_KDC_Settings Unfortunately, only

On 9/30/2020 4:11 PM, Remy Zandwijk via samba wrote: >> On 30 Sep 2020, at 21:42, Jason Keltz via samba <samba at lists.samba.org> wrote: >> >> >> On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote: >>>>>> On the client, add: >>>>>> >>>>>> gensec_gssapi:requested_life_time = <int> # seconds

I would like to set the renewable lifetime to 90 days. What is the best way to set the Kerberos ticket maximum renewable lifetime. ~# smbd --version Version 4.12.2-Ubuntu ~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at MYDOM Valid starting Expires Service principal 07/02/20 18:08:16 07/03/20 04:08:16 krbtgt/MYDOM at MYDOM renew until 07/03/20

Maybe its.. authconfig --enablewinbindkrb5 --update Requirements to achieve this: - A valid /etc/krb5.conf - A valid system keytab /etc/krb5.keytab - A valid /etc/samba/smb.conf -> will be modified by authconfig ( found on internet worked in centos7 ) But better read.. https://sssd.io/docs/users/pam_krb5_migration.html Greetz, Louis > -----Oorspronkelijk bericht----- >

On 01/10/2020 21:46, Rowland penny via samba wrote: > On 01/10/2020 21:23, Jason Keltz via samba wrote: >> >> >> Okay - I guess the failure of kdc: lines in smb.conf is a bug. >> >> Let's wait and see what happens with your ticket after 10 hours. >> Maybe there's a bug there as well. > It will be in the middle of the night here, so I will report

> On 1 Oct 2020, at 10:31, Rowland penny via samba <samba at lists.samba.org> wrote: > > On 01/10/2020 00:23, Jason Keltz via samba wrote: >> >> Remy, >> >> On the domain controller (samba-ad-dc), I have in the config: kdc:user ticket lifetime = 24 > I do not recognise that smb.conf option, could this be another freebsd change that was never sent

On 01/10/2020 00:23, Jason Keltz via samba wrote: > > Remy, > > On the domain controller (samba-ad-dc), I have in the config: kdc:user > ticket lifetime = 24 I do not recognise that smb.conf option, could this be another freebsd change that was never sent upstream or, if it was, it was rejected ? > > When I login to the client (which is using pam_winbind module), I have

Ah, and it that server allowed to "forward/exchange" that ticket? Try this on both servers and test again. GSSAPIAuthentication yes GSSAPICleanupCredentials no GSSAPIStrictAcceptorCheck no GSSAPIKeyExchange yes Which you need exaclty, i dont now, but i think you need to look in this area.. Think in this : Kerberos: Requested flags: renewable-ok, canonicalize, renewable,

Am 03.07.20 um 13:05 schrieb Rowland penny via samba: > On 03/07/2020 11:33, Stefan Just via samba wrote: >> We are using tmux, screen and x2go to run long-running jobs on our >> compute servers. $HOME and other data should be mounted via CIFS or >> NFS4. Because such a job can run for more than a week, I would like to >> increase the Kerberos ticket lifetime or better