Quantcast

Problem with ticket lifetimes of Linux clients authenticating to Samba 4 AD

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Problem with ticket lifetimes of Linux clients authenticating to Samba 4 AD

Samba - General mailing list
Hi,

I've recently migrated an LDAP/Kerberos 5 setup to a Samba 4 based
Active Directory, mainly to support a couple of Windows clients. Since
this is a small private network, I've set quite long kerberos ticket
lifetimes in smb.conf on the DC. These work fine on the Windows clients,
but are somehow completely ignored on the Linux clients, where users
always get the default ticket lifetime of 10 hours. OTOH, if I just
kinit I get the correct ticket lifetimes, as shown below (right after
login):

% klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234
Standard-Principal: [hidden email]

Valid starting       Expires              Service principal
08.03.2017 19:35:46  09.03.2017 05:35:44  krbtgt/[hidden email]
        erneuern bis 07.04.2017 20:35:44
08.03.2017 19:35:46  09.03.2017 05:35:44  SOMEHOST$@EXAMPLE.COM
08.03.2017 19:35:47  09.03.2017 05:35:44  afs/[hidden email]
        erneuern bis 07.04.2017 20:35:44
% kinit
Passwort for [hidden email]:
% klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234
Standard-Principal: [hidden email]

Valid starting       Expires              Service principal
08.03.2017 19:36:36  07.04.2017 20:36:30  krbtgt/[hidden email]
        erneuern bis 07.04.2017 20:36:30

Linux clients are setup to use winbind (incl. PAM and NSS modules). Any
idea what I can do to get the correct ticket lifetime right after login.

Thanks...

    Dirk

--
Dirk Heinrichs <[hidden email]>
GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015
Sichere Internetkommunikation: http://www.retroshare.org
Privacy Handbuch: https://www.privacy-handbuch.de


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Problem with ticket lifetimes of Linux clients authenticating to Samba 4 AD

Samba - General mailing list
Am 08.03.2017 um 21:27 schrieb Dirk Heinrichs:

> Linux clients are setup to use winbind (incl. PAM and NSS modules).
> Any idea what I can do to get the correct ticket lifetime right after
> login?

Using sssd (with AD provider) instead of winbind solves the problem.

Bye...

    Dirk

--
Dirk Heinrichs <[hidden email]>
GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015
Sichere Internetkommunikation: http://www.retroshare.org
Privacy Handbuch: https://www.privacy-handbuch.de


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...