New subject: [Bug 1196224] User Kerberos Tickets are not refresh or get destroyed after Update to samba 4.15.4

21 Feb 2022

      http://bugzilla.opensuse.org/show_bug.cgi?id=1196224

            Bug ID: 1196224
           Summary: User Kerberos Tickets are not refresh or get destroyed
                    after Update to samba 4.15.4
    Classification: openSUSE
           Product: openSUSE Distribution
           Version: Leap 15.3
          Hardware: x86-64
                OS: openSUSE Leap 15.3
            Status: NEW
          Severity: Critical
          Priority: P5 - None
         Component: Samba
          Assignee: samba-maintainers@SuSE.de
          Reporter: andreas.hauffe@tu-dresden.de
        QA Contact: samba-maintainers@SuSE.de
          Found By: ---
           Blocker: ---

User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Firefox/91.0
Build Identifier: 

At the end of January there was an update of Samba 4.13 to 4.15. Since this
time all our clients, which are Windows-AD members, doesn't keep the user
kerberos tickets like before. Either the tickets are not refreshed or the
tickets are destroyed. This results in a crashed KDE Plasma in the morning when
the users try to login again, since the clients/user accounts weren't able to
write on the kerberized NFS-Home mounts after the tickets got lost.

Reproducible: Always

Steps to Reproduce:
1. Configure PAM-Winbind for User logins
2. Wait some hours and the user tickets are not in the ticket cache any more
Actual Results:  
Crashed KDE Plasma due to unwriteable home mounts

Expected Results:  
refreshed user tickets in the ticket cache

smb.conf
[global]
    netbios name = ilr114l
    security = ADS
    workgroup = ILRW
    realm = ILRW.ING.DOM.TU-DRESDEN.DE
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    template homedir = /home/home_ilrw/%U
    template shell = /bin/bash
    winbind refresh tickets = yes
    winbind separator = +
    idmap config * : backend = tdb
    idmap config * : range = 2000-2999
    idmap config ILRW : backend = rid
    idmap config ILRW : range = 3000-9999 # UID aus RID fuer ILRW
    idmap config DOM : backend = rid
    idmap config DOM : range = 10000-9999999 # UID aus RID fuer DOM

krb5.conf
[libdefaults]
        default_realm = ILRW.ING.DOM.TU-DRESDEN.DE
        dns_lookup_realm = true
        dns_lookup_kdc = true
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true

[realms]
   ILRW.ING.DOM.TU-DRESDEN.DE = {
        auth_to_local =
RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE@.*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/
        auth_to_local =
RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE@.*)s/\.TU-DRESDEN\.DE@/+/
        auth_to_local = DEFAULT
   }

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug 1196224] New: User Kerberos Tickets are not refresh or get destroyed after Update to samba 4.15.4

bugzilla_noreply＠suse.com

bugzilla_noreply＠suse.com

bugzilla_noreply＠suse.com

tags

participants (1)