Accessing a kerberos enabled share remains possible for the current session, even after kdestroy is run to destroy the kerberos ticket.
Is this the intended behaviour or a possible security issue?
Access the share, browse, etc
In another command session, run kdestroy -A to destroy all kerberos tickets
smbclient will still be connected, and can browser directory listings, retrieve files, etc
I would have thought there should be some periodic check that the ticket still exists and is valid?
That's a server policy, not a client one. The 'periodic check' you're looking for is the ticket lifetime, which is a policy set on the kdc. I'll check in the code what happens server-side once the ticket has timed out, but this isn't a Samba code bug.
(In reply to Jeremy Allison from comment #1)
It should result in a NT_STATUS_NETWORK_SESSION_EXPIRED (for SMB1 only if the clients supports reauthentication and set CAP_DYNAMIC_REAUTH).