Simo,
I'm Doug 2. Do you know how to initiate speedy renewal of
the tickets for the instance of a hibernated client that
sleeps thru and well past the lifetime of the ticket?
I agree that the ticket renewal happens automagically.
But for a while after waking up, the client can't access
the shares and it's enough of an issue with users to force
turning off hibernation and run them 24 hrs a day.
Sorry for being off-topic to the original post. Trigger word was
ticket lifetime.
Doug2
simo wrote:
Doug,
you don't need any login to make samba work in an AD environment.
At the join samba creates a machine account in a domain, and stores the
machine password in the secrets.tdb file. When samba needs to do some
operation with the domain it just need to use that account to request
tickets from the KDC.
It is just like any other windows host out there.
Simo.
On Fri, 2006-05-12 at 08:23 -0500, Doug Tucker wrote:
I'm not sure I follow. By client, you mean my samba server that is
joined to AD? I've been running without a ticket at all for 2 weeks
now, and have yet to see a single problem. What type of bad behaviour
should I be looking for? We're using win2k3 AD, samba 3.0.22, and all
winXP desktop clients. Sorry if I'm being a pain, I'm just a bit
confused here, as I can't find any documentation on this subject. All I
see is in the installation instructions that you have to do the kinit
[EMAIL PROTECTED] and log in which gives you a ticket. My issue is my windows
guys aren't very bright and didn't even know that their AD ran anything
"called kerberos", and don't know how to change the ticket lifetime.
That concerned me because I don't want to have to set up a cron to auto
login every 24hours, so I put it on the backburner, the ticket expired,
I come back and everything is still working fine. Which got me thinking
about it's validity, which started me down this path I have digressed
to, just deleting the ticket, rebooting the machine to remove anything
from memory, resume testing, and the whole thing still works like a
charm. And so far, all I'm getting here from this user group is
everyone seems to feel like this ticket is necessary, yet no one is
taking a shot at why I'm working just fine. I'm just concerned about
going production if this is really necessary, but so far from what I've
seen, the ticket is not needed at all. Anyone else try running in this
type of environment without one?
On Thu, 2006-05-11 at 21:17 -0700, Doug VanLeuven wrote:
When using domain logons, after resuming from a hibernate that
exceeded the lifetime of the Kerberos ticket, the client doesn't
immediately renew the ticket. It will auto renew, but I've not
determined the amount of time it takes.
Is there a way to force the client to renew the ticket? Short of
rebooting, that is. Things don't work very well until it's renewed.
Trying to go green. Samba client and/or XP/2000 client?
Regards, Doug
simo wrote:
Samba stores the machine password and obtains tickets from the KDC when
needed.
Simo.
On Thu, 2006-05-11 at 16:53 -0500, Doug Tucker wrote:
Thanks. But again, is the ticket even needed? I deleted the darn
thing, rebooted to make sure it wasn't cached in memory somewhere, and
everything seems to be working perfectly. If it is indeed needed, and I
need to extend the period, is there any directions on how to do that on
the windows side?
On Thu, 2006-05-11 at 23:07 +0200, Blaž Primc wrote:
Hi,
the period for which the ticket is valid can be set in Windows Server.
Best regards, Blaž.
Doug Tucker wrote:
I recently joined a samba 3.0.22 server to AD. When I did the kinit,
the AD gave me a 24 hour ticket with a 1 week renewal. Setting -r and
-l to 365d did not change anything, the ticket still came back the same.
However, my question is in reguard to whether this is really even
needed? First, I deleted the ticket, and everything seemed to continue
to work perfectly. Now, I let the ticket expire for a couple of weeks
now, and yet, the samba server is working fine and users still
authenticate against AD just fine. Am I missing something, or is the
creation of that ticket not even needed? Thank you for your assistance.
doug...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
