Bug 10780 - winbind doesn't refresh a ticket
Summary: winbind doesn't refresh a ticket
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.1.6
Hardware: x86 Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2014-08-23 20:21 UTC by Victor
Modified: 2014-08-25 07:24 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Victor 2014-08-23 20:21:43 UTC
Hi all!

It will good for me if you help me. 

On a client side:
I have the following global section and have a winbind pam config:

        workgroup = COMPANY
	realm = COMPANY.RU
	security = ADS
	encrypt passwords = true
	dns proxy = no 
	socket options = TCP_NODELAY
	domain master = no
	local master = no
	preferred master = no
	os level = 0
	domain logons = no
	load printers = no
	show add printer wizard = no
	printcap name = /dev/null
	disable spoolss = yes
	idmap config * : range = 10000-20000
	idmap config * : backend = tdb 
	winbind enum groups = yes
	winbind enum users = yes
	winbind use default domain = yes
	template shell = /bin/bash
	winbind refresh tickets = yes

# /etc/pam.d/common-auth - authentication settings common to all services
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

auth sufficient pam_winbind.so krb5_auth krb5_ccache_type=FILE
auth sufficient pam_unix.so nullok_secure use_first_pass
auth required   pam_deny.so

# here are the per-package modules (the "Primary" block)
auth	[success=3 default=ignore]	pam_krb5.so minimum_uid=1000
auth	[success=2 default=ignore]	pam_unix.so nullok_secure try_first_pass
auth	[success=1 default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	optional	pam_ecryptfs.so unwrap
auth	optional			pam_cap.so 
# end of pam-auth-update config

After login to client I have a tgt for example:

Valid starting       Expires              Service principal
23.08.2014 23:00:53  24.08.2014 09:00:51  krbtgt/COMPANY.RU@COMPANY.RU
	renew until 30.08.2014 23:00:53
23.08.2014 23:00:53  24.08.2014 09:00:51  GUSEVVS$@COMPANY.RU
	renew until 30.08.2014 23:00:53

The first question is about: GUSEVVS$@COMPANY.RU - What about the ticket? $ - is strange symbol...

The second is about: Expiries... When I lock my PC (ubuntu), and unlock it again: I get a new tgt, but when my pc is ilde without lock screen more than 10 hours, I have expiried my tgt, and because of this I can't explore any kerberosed services.  

I use samba 4.1.6 as domain member (ubuntu repos) and 4.1.9 as a server side software (sernet) 

Does it work? I mean: winbind refresh tickets = yes value.

Thank for you effort to me!