Bug 2057503

Summary: Regression: [samba] winbind isn't able to refresh Kerberos tickets
Product: Red Hat Enterprise Linux 8 Reporter: Andreas Schneider <asn>
Component: sambaAssignee: Andreas Schneider <asn>
Status: CLOSED ERRATA QA Contact: Denis Karpelevich <dkarpele>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.5CC: aboscatt, asn, dkarpele, gdeschner, jarrpa, sssd-qe
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: samba-4.15.5-4.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2057500 Environment:
Last Closed: 2022-05-10 15:28:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2057500    
Bug Blocks:    

Description Andreas Schneider 2022-02-23 14:20:31 UTC 
+++ This bug was initially created as a clone of Bug #2057500 +++

Description of problem:
winbindd of Samba fails to automatically refresh Kerberos tickets. When pam_winbind is getting them.

Winbind needs to be configured with `winbind refresh tickets = yes`

[global]
    security = ADS
    workgroup = SAMBA
    realm = SAMBA.ORG
    winbind refresh tickets = yes
    [..]

And pam_winbind needs to be configured with krb5_auth and krb5_ccache_type. This should be the case with if you use `realm join` or the winbind authselect profile.


How reproducible:


Steps to Reproduce:
1. Setup a Windows or Samba AD server
2. Change the 'Maximum lifetime for user ticket' Kerberos Policy (GPO) on the server and set it to 5 or 10 minutes (default should be 8 or 10 hours).
3. Configure a Domain member with `winbind refresh tickets = yes` and pam_winbind doing a krb5_auth
4. Login with ssh as a domain user
5. Check the liftime of the TGT with klist
6. Check again after 10 min that the ticket has been automatically renewed
Comment 7 errata-xmlrpc 2022-05-10 15:28:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: samba security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:2074