similar to: Kerberos ticket maximum renewable lifetime

We are using tmux, screen and x2go to run long-running jobs on our compute servers. $HOME and other data should be mounted via CIFS or NFS4. Because such a job can run for more than a week, I would like to increase the Kerberos ticket lifetime or better the Kerberos ticket maximum renewable lifetime. I found this guide: https://wiki.samba.org/index.php/Samba_KDC_Settings Unfortunately, only

On Ubuntu 20.04 I have provisioned a AD DC using samba-4.12 from Louis' Repo and his instructions: https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt In the output of: samba-tool domain provision --use-rfc2307 --realm=XXX.XXX --domain=XXX --dns-backend=BIND9_DLZ --adminpass=XXXxxx I see this: WARNING /usr/lib/python3/dist-packages/samba/provision/sambadns.py

Am 03.07.20 um 13:05 schrieb Rowland penny via samba: > On 03/07/2020 11:33, Stefan Just via samba wrote: >> We are using tmux, screen and x2go to run long-running jobs on our >> compute servers. $HOME and other data should be mounted via CIFS or >> NFS4. Because such a job can run for more than a week, I would like to >> increase the Kerberos ticket lifetime or better

On 01/10/2020 00:23, Jason Keltz via samba wrote: > > Remy, > > On the domain controller (samba-ad-dc), I have in the config: kdc:user > ticket lifetime = 24 I do not recognise that smb.conf option, could this be another freebsd change that was never sent upstream or, if it was, it was rejected ? > > When I login to the client (which is using pam_winbind module), I have

On 03/07/2020 12:35, Stefan Just via samba wrote: > A kinit needs the user's password if the Kerberos ticket maximum > renewable lifetime has been exceeded. This is simply not possible > because users cannot be online for weeks. Where did you get the idea that you need the password from ? If a user logs in and PAM is set up correctly on a Unix domain member, the user should get a

Hi. I have a question about Kerberos ticket lifetime in AD with Samba. I'm running on CentOS 7 with Samba 4.11.? If I change "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client /etc.krb5.conf, it doesn't seem to make a difference. When I log out and back in to the client? (that is using pam_winbind), I still get a 10 hour ticket time.? I found this page:

On 01/10/2020 11:22, Remy Zandwijk wrote: > > >> On 1 Oct 2020, at 10:31, Rowland penny via samba >> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >> >> On 01/10/2020 00:23, Jason Keltz via samba wrote: >>> >>> Remy, >>> >>> On the domain controller (samba-ad-dc), I have in the config:

On 9/30/2020 11:15 AM, Rowland penny via samba wrote: > On 30/09/2020 15:51, Jason Keltz via samba wrote: >> Hi. >> >> I have a question about Kerberos ticket lifetime in AD with Samba. >> >> I'm running on CentOS 7 with Samba 4.11.? If I change >> "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client >> /etc.krb5.conf, it

> On 1 Oct 2020, at 10:31, Rowland penny via samba <samba at lists.samba.org> wrote: > > On 01/10/2020 00:23, Jason Keltz via samba wrote: >> >> Remy, >> >> On the domain controller (samba-ad-dc), I have in the config: kdc:user ticket lifetime = 24 > I do not recognise that smb.conf option, could this be another freebsd change that was never sent

On 30/09/2020 15:51, Jason Keltz via samba wrote: > Hi. > > I have a question about Kerberos ticket lifetime in AD with Samba. > > I'm running on CentOS 7 with Samba 4.11.? If I change > "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client > /etc.krb5.conf, it doesn't seem to make a difference. When I log out > and back in to the client?

Hi Jason, > On 30 Sep 2020, at 17:38, Jason Keltz via samba <samba at lists.samba.org> wrote: > > > On 9/30/2020 11:15 AM, Rowland penny via samba wrote: >> On 30/09/2020 15:51, Jason Keltz via samba wrote: >>> Hi. >>> >>> I have a question about Kerberos ticket lifetime in AD with Samba. >>> >>> I'm running on CentOS 7

Ah, and it that server allowed to "forward/exchange" that ticket? Try this on both servers and test again. GSSAPIAuthentication yes GSSAPICleanupCredentials no GSSAPIStrictAcceptorCheck no GSSAPIKeyExchange yes Which you need exaclty, i dont now, but i think you need to look in this area.. Think in this : Kerberos: Requested flags: renewable-ok, canonicalize, renewable,

On 02/10/2020 13:24, Jason Keltz via samba wrote: > Hi Louis, > > I had already done that at one point. > > My pam_winbind is already working.? I can SSH to the system, and I get > a proper ticket.? My only issue is that it doesn't refresh the ticket > before expiry when I ssh to a system.? I think I can script around > that and just not rely on winbind to do it.

Hi, I'm getting this weird error in the logs when starting tinc "Creating metasocket faile: Address family not supported by protocol" I've tried explicitly putting AddressFamily = ipv4 in the tinc.conf file but it doesn't seem to make a difference. The IP's i'm using for the vpn are 10.0.x.x Thanks for your assistance, R. Schwarzenberg -------------- next part

Hi Rowland, Also change on DCs to [libdefaults] default_realm = HQ.KONTRAST dns_lookup_realm = false dns_lookup_kdc = true ? I was used wiki article and there was listed for DC. the config i have post was only für vl0227 (my Master DC) all other Maschines have the config you prefer. OLIVER WERNER System-Administrator Kontrast Communication Services GmbH Grafenberger Allee 100,

Ah..   So every 5 days this happens, correct ? Solution, reboot your pc every 4.99999999 days.    This way its gets a new ticket and isnt the old reused.   As it stats on the site,. " tickets can be renewed for a maximum of 5 days from the date of original issue."     Greetz,   Louis       > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces

Hello, I successfully built a vpn between two hosts ("main" and "iquique") (and its SubNets), but I have problems when I want to add another host ("valparaiso"): I get a lot of Duplicates packets everywhere and a very slow vpn. I guess that is a routing problem, but I have try with a lot of alternatives without result. I have try with "switch",

hi again. after some tests, (on my operational domain and on a new testdomain) i detected this behavior: on samba 4.11.6 sometimes the new DNS-records finisches on a wrong dns zone. the problem occurs, if more then 5 records are created with the same name in more then one domain zone for example: testa1.jupiter.mydom.org testa2.jupiter.mydom.org testa3.jupiter.mydom.org

Hi again, I just started to debug things on the samba4 side: When trying to mount the Windows NFS share, I get the following error on the samba4 dc (just grepping for nfs in the logs): auth_check_password_send: Checking password for unmapped user [S5DOM.TEST]\[nfs/nfsclient.mydom.test]@[] map_user_info_cracknames: Mapping user [MYDOM.TEST]\[nfs/nfsclient.mydom.test] from workstation []

On Tue, 7 Aug 2018 14:59:56 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote: > On Tue, 7 Aug 2018 14:55:24 +0200 > Henry Jensen via samba <samba at lists.samba.org> wrote: > > > On Tue, 7 Aug 2018 12:51:33 +0100 > > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > > > > > > Failed to modify SPNs on