similar to: Kerberos ticket lifetime

On 9/30/2020 11:15 AM, Rowland penny via samba wrote: > On 30/09/2020 15:51, Jason Keltz via samba wrote: >> Hi. >> >> I have a question about Kerberos ticket lifetime in AD with Samba. >> >> I'm running on CentOS 7 with Samba 4.11.? If I change >> "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client >> /etc.krb5.conf, it

Hi Jason, > On 30 Sep 2020, at 17:38, Jason Keltz via samba <samba at lists.samba.org> wrote: > > > On 9/30/2020 11:15 AM, Rowland penny via samba wrote: >> On 30/09/2020 15:51, Jason Keltz via samba wrote: >>> Hi. >>> >>> I have a question about Kerberos ticket lifetime in AD with Samba. >>> >>> I'm running on CentOS 7

On 30/09/2020 15:51, Jason Keltz via samba wrote: > Hi. > > I have a question about Kerberos ticket lifetime in AD with Samba. > > I'm running on CentOS 7 with Samba 4.11.? If I change > "ticket_lifetime=24h" on the AD server /etc/krb5.conf, or the client > /etc.krb5.conf, it doesn't seem to make a difference. When I log out > and back in to the client?

On 01/10/2020 00:23, Jason Keltz via samba wrote: > > Remy, > > On the domain controller (samba-ad-dc), I have in the config: kdc:user > ticket lifetime = 24 I do not recognise that smb.conf option, could this be another freebsd change that was never sent upstream or, if it was, it was rejected ? > > When I login to the client (which is using pam_winbind module), I have

> On 30 Sep 2020, at 21:42, Jason Keltz via samba <samba at lists.samba.org> wrote: > > > On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote: >>>>> On the client, add: >>>>> >>>>> gensec_gssapi:requested_life_time = <int> # seconds >>>>> >>>>> to smb4.conf. E.g. a ticket life time of one hour:

On 02/10/2020 13:24, Jason Keltz via samba wrote: > Hi Louis, > > I had already done that at one point. > > My pam_winbind is already working.? I can SSH to the system, and I get > a proper ticket.? My only issue is that it doesn't refresh the ticket > before expiry when I ssh to a system.? I think I can script around > that and just not rely on winbind to do it.

On 01/10/2020 11:22, Remy Zandwijk wrote: > > >> On 1 Oct 2020, at 10:31, Rowland penny via samba >> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >> >> On 01/10/2020 00:23, Jason Keltz via samba wrote: >>> >>> Remy, >>> >>> On the domain controller (samba-ad-dc), I have in the config:

On 10/1/2020 8:34 AM, Rowland penny via samba wrote: > On 01/10/2020 13:30, Jason Keltz via samba wrote: >> On 10/1/2020 8:28 AM, Rowland penny via samba wrote: >> >>> On 01/10/2020 13:17, Jason Keltz via samba wrote: >>>> So why is it that winbind renews the ticket on the original system, >>>> but on the system that I ssh to, it does not.

On 10/1/2020 8:41 AM, Rowland penny via samba wrote: > On 01/10/2020 13:38, Jason Keltz via samba wrote: >> On 10/1/2020 8:34 AM, Rowland penny via samba wrote: >> >>> On 01/10/2020 13:30, Jason Keltz via samba wrote: >>>> On 10/1/2020 8:28 AM, Rowland penny via samba wrote: >>>> >>>>> On 01/10/2020 13:17, Jason Keltz via samba wrote:

> On 1 Oct 2020, at 10:31, Rowland penny via samba <samba at lists.samba.org> wrote: > > On 01/10/2020 00:23, Jason Keltz via samba wrote: >> >> Remy, >> >> On the domain controller (samba-ad-dc), I have in the config: kdc:user ticket lifetime = 24 > I do not recognise that smb.conf option, could this be another freebsd change that was never sent

On 9/30/2020 7:23 PM, Jason Keltz wrote: > On 9/30/2020 4:11 PM, Remy Zandwijk via samba wrote: > >>> On 30 Sep 2020, at 21:42, Jason Keltz via samba >>> <samba at lists.samba.org> wrote: >>> >>> >>> On 9/30/2020 3:01 PM, Remy Zandwijk via samba wrote: >>>>>>> On the client, add: >>>>>>>

On 10/1/2020 4:10 PM, Rowland penny via samba wrote: > On 01/10/2020 20:47, Jason Keltz via samba wrote: >> >> Hi Rowland, >> >> In my case, I think I may know why pam_winbind is not renewing the >> ticket before it expires. >> > I don't think it matters about the extra characters in the ticket > name, I think the ticket search looks for a ticket

Maybe its.. authconfig --enablewinbindkrb5 --update Requirements to achieve this: - A valid /etc/krb5.conf - A valid system keytab /etc/krb5.keytab - A valid /etc/samba/smb.conf -> will be modified by authconfig ( found on internet worked in centos7 ) But better read.. https://sssd.io/docs/users/pam_krb5_migration.html Greetz, Louis > -----Oorspronkelijk bericht----- >

On 10/1/2020 8:28 AM, Rowland penny via samba wrote: > On 01/10/2020 13:17, Jason Keltz via samba wrote: >> So why is it that winbind renews the ticket on the original system, >> but on the system that I ssh to, it does not. > > Do you have 'winbind refresh tickets = yes' set on all the systems ? Absolutely.? In fact,? both systems are using the identical smb.conf,

I'm experimenting with smb + winbind. My host is joined to AD and I can login to my host fine using my AD credentials via SSH.?? The only issue is that I don't get a Kerberos ticket generated. In /etc/security/pam_winbind.conf I have: krb5_auth = yes krb5_ccache_type = KEYRING In /etc/krb5.conf, I also have: default_ccache_name = KEYRING:persistent:%{uid} Using wbinfo -K jas, then

We are using tmux, screen and x2go to run long-running jobs on our compute servers. $HOME and other data should be mounted via CIFS or NFS4. Because such a job can run for more than a week, I would like to increase the Kerberos ticket lifetime or better the Kerberos ticket maximum renewable lifetime. I found this guide: https://wiki.samba.org/index.php/Samba_KDC_Settings Unfortunately, only

Hi list,I want to make winbind kerberos ticket refresh work but I couldn't do it with configuration below: ------ smb.conf ------security = ADS workgroup = MYDOMAINrealm = MYDOMAIN.ORG log file = /var/log/samba/%m.loglog level = 6enable core files = no idmap config * : backend = tdbidmap config * : range = 3000-7999idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range =

On 7/28/2020 4:11 PM, Jason Keltz wrote: > > On 7/28/2020 3:59 PM, Jason Keltz via samba wrote: >> I'm experimenting with smb + winbind. >> >> My host is joined to AD and I can login to my host fine using my AD >> credentials via SSH.?? The only issue is that I don't get a Kerberos >> ticket generated. >> >> In

Thanks Louis. Results below. > Hai, > > I've reading this thread more closely. > > I suggest you try the followoing. > > Check the servers hardware clock in the bios first. > Set these within 5 min, if they are not about the same. > There no RTC in the pi; the other DC is running in a VM with RTC set to UTC. I have disabled the guest from getting the time

> I hope that you're doing well... I am, thanks. I still need to answer your private email, but I didn't find time yet. >>> On the client, add: >>> >>> gensec_gssapi:requested_life_time = <int> # seconds >>> >>> to smb4.conf. E.g. a ticket life time of one hour: >>> >>> gensec_gssapi:requested_life_time = 3600