Dirk Heinrichs via samba
2017-03-08 20:50:02 UTC
Hi,
I've recently migrated an LDAP/Kerberos 5 setup to a Samba 4 based
Active Directory, mainly to support a couple of Windows clients. Since
this is a small private network, I've set quite long kerberos ticket
lifetimes in smb.conf on the DC. These work fine on the Windows clients,
but are somehow completely ignored on the Linux clients, where users
always get the default ticket lifetime of 10 hours. OTOH, if I just
kinit I get the correct ticket lifetimes, as shown below (right after
login):
% klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234
Standard-Principal: ***@EXAMPLE.COM
Valid starting Expires Service principal
08.03.2017 19:35:46 09.03.2017 05:35:44 krbtgt/***@EXAMPLE.COM
erneuern bis 07.04.2017 20:35:44
08.03.2017 19:35:46 09.03.2017 05:35:44 SOMEHOST$@EXAMPLE.COM
08.03.2017 19:35:47 09.03.2017 05:35:44 afs/***@EXAMPLE.COM
erneuern bis 07.04.2017 20:35:44
% kinit
Passwort for ***@EXAMPLE.COM:
% klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234
Standard-Principal: ***@EXAMPLE.COM
Valid starting Expires Service principal
08.03.2017 19:36:36 07.04.2017 20:36:30 krbtgt/***@EXAMPLE.COM
erneuern bis 07.04.2017 20:36:30
Linux clients are setup to use winbind (incl. PAM and NSS modules). Any
idea what I can do to get the correct ticket lifetime right after login.
Thanks...
Dirk
--
Dirk Heinrichs <***@altum.de>
GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015
Sichere Internetkommunikation: http://www.retroshare.org
Privacy Handbuch: https://www.privacy-handbuch.de
I've recently migrated an LDAP/Kerberos 5 setup to a Samba 4 based
Active Directory, mainly to support a couple of Windows clients. Since
this is a small private network, I've set quite long kerberos ticket
lifetimes in smb.conf on the DC. These work fine on the Windows clients,
but are somehow completely ignored on the Linux clients, where users
always get the default ticket lifetime of 10 hours. OTOH, if I just
kinit I get the correct ticket lifetimes, as shown below (right after
login):
% klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234
Standard-Principal: ***@EXAMPLE.COM
Valid starting Expires Service principal
08.03.2017 19:35:46 09.03.2017 05:35:44 krbtgt/***@EXAMPLE.COM
erneuern bis 07.04.2017 20:35:44
08.03.2017 19:35:46 09.03.2017 05:35:44 SOMEHOST$@EXAMPLE.COM
08.03.2017 19:35:47 09.03.2017 05:35:44 afs/***@EXAMPLE.COM
erneuern bis 07.04.2017 20:35:44
% kinit
Passwort for ***@EXAMPLE.COM:
% klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_1234
Standard-Principal: ***@EXAMPLE.COM
Valid starting Expires Service principal
08.03.2017 19:36:36 07.04.2017 20:36:30 krbtgt/***@EXAMPLE.COM
erneuern bis 07.04.2017 20:36:30
Linux clients are setup to use winbind (incl. PAM and NSS modules). Any
idea what I can do to get the correct ticket lifetime right after login.
Thanks...
Dirk
--
Dirk Heinrichs <***@altum.de>
GPG Public Key: D01B367761B0F7CE6E6D81AAD5A2E54246986015
Sichere Internetkommunikation: http://www.retroshare.org
Privacy Handbuch: https://www.privacy-handbuch.de
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba