Accessing a kerberos enabled share remains possible for the current session, even after kdestroy is run to destroy the kerberos ticket. Is this the intended behaviour or a possible security issue? To reproduce: kinit username smbclient //KERBEROS/Shared Access the share, browse, etc In another command session, run kdestroy -A to destroy all kerberos tickets smbclient will still be connected, and can browser directory listings, retrieve files, etc I would have thought there should be some periodic check that the ticket still exists and is valid?
That's a server policy, not a client one. The 'periodic check' you're looking for is the ticket lifetime, which is a policy set on the kdc. I'll check in the code what happens server-side once the ticket has timed out, but this isn't a Samba code bug.
(In reply to Jeremy Allison from comment #1) It should result in a NT_STATUS_NETWORK_SESSION_EXPIRED (for SMB1 only if the clients supports reauthentication and set CAP_DYNAMIC_REAUTH).