increase ticket life time for offline login

Question

I'm using Mint distro 18.1. I configure my laptop to join AD domain on Windows 2008R2 Server.

here my configuration:

/etc/krb5.conf

[libdefaults]
    default_realm     =     ACMEAD.COM
    clockskew     =     300
    ticket_lifetime    =    60d
    forwardable     =       true
    proxiable       =       true
    dns_lookup_realm =      true
    dns_lookup_kdc  =       true
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1

  [realms]
   PRIMEURAD.COM = {
    kdc     =     AD.ACME.COM:88
    admin_server = AD.ACME.COM:749
     default_domain = ACMEAD.COM
    ticket_lifetime    =    60d

    }

   [domain_realm]
    .kerberos.server = ACMEAD.COM
.acmead.com = ACMEAD.COM
acmead.com = ACMEAD.COM
acmead    = ACMEAD.COM
ticket_lifetime    =    60d

[appdefaults]
  pam = {
     ticket_lifetime     = 60d
     renew_lifetime         = 60d
     forwardable         = true
     proxiable         = false
     retain_after_close     = false
     minimum_uid         = 0
     debug             = false
 }

 [logging]
    default         = FILE:/var/log/krb5libs.log
    kdc             = FILE:/var/log/kdc.log
    admin_server            = FILE:/var/log/kadmind.log
 [login]
    krb4_convert = true
    krb4_get_tickets = false

/etc/samba/smb.conf

[global]
workgroup = primeurad
realm = primeurad.com
netbios name = lap-pc-1976
security = ADS
dns forwarder = 172.16.0.3
idmap config * : backend = tdb
idmap config *:range = 50000-1000000

template homedir = /home/%D/%U
template shell = /bin/bash

winbind use default domain = true
winbind offline logon = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind cache time = 300
winbind refresh tickets = yes

vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
preferred master = no
dns proxy = no
wins server = ad.primeur.com
wins proxy = no
inherit acls = Yes
acl group control = yes

load printers = no
debug level = 3
use sendfile = no

/etc/security/pam_winbind.conf

[global]
  debug = no
  debug_state = no
  try_first_pass = yes
  krb5_auth = yes
  krb5_ccache_type = FILE
  cached_login = yes
  silent = no
# mkhomedir = yes

I'm able to login and authenticate my self. I add my PC to the domain with no problem. And I'm also able to login when I'm offline, which is what I want most. I'm trying to increase the ticket lifetime to 60days, now if I type klist this is what I see

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
07/11/2017 12:25:02  07/11/2017 22:25:02  krbtgt/[email protected]
    renew until 07/18/2017 12:24:59

It seems to me that takes the default of 10h instead of 60 days. How can I increase it?

Answer 1

The Active Directory domain defaults take precedence here.

Best Practice would be to let the Maximum lifetime for Kerberos service ticket remain at the default of 10 hours. In various technical guides and Active Directory Group Policy, you will see that value written out as 600 minutes which is 10 hours, but shown as 600 minutes instead. I've never known why they did this. If you want to change the value, you will have to open up the Active Directory domain Group Policy Management Console tool (GPMC.msc) and edit the "Default Domain Policy" Group Policy Object. Once that GPO is opened, navigate to the following path, and change 600 minutes to its 60 day equivalent which would be 86400.

Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\Maximum lifetime for service ticket

Reference: Maximum lifetime for service ticket

Note that changing this this would considered a security risk, as it gives potential hackers that much more time to potentially decrypt the service ticket and use for themselves. Just google "silver ticket attack". This is why why 10 hours is set as the default. It is also the default for all major Identity Management implementations using Kerberos, not just Active Directory. It is considered a trade-off between security and usability. You also asked "I see I have to increase also the kerberos principal but not sure how to do it". What did you mean by that? Did you mean "service principal name"? Or the Ticket Granting Ticket? Or the user account? What do you mean by "increasing it?" If you meant about increasing other Kerberos ticket lifetimes, such as the Ticket Granting Ticket, AKA "user ticket", then you can also modify them in the same area of the GPO mentioned above. In that GPO, the Ticket Granting Ticket (TGT), is written as "user ticket". It has the same lifetime of 10 hours. The screenshot below is from my lab, showing everything at the defaults:

EDIT/UPDATE: To allow for offline logins to an AD domain-joined Windows PC when it is not connected to the network, or in case a domain controller is not available, you will have to allow for what is known as "cached credentials". This allows for the PC to re-use the service ticket and not be prompted to go get a new one. You can either do this on a one-off basis for a single machine, or domain-wide via a GPO. Both methods are described below:

For a single machine, just edit the Registry

For a domain-wide method, use a GPO

Note to the above: This setting would be ignored on a Linux OS joined to AD, since there is no Registry on Linux. In short, you cannot allow for cached (offline) logon to an AD domain for Linux laptops - that is a Windows OS-only feature.