I'm using Mint distro 18.1. I configure my laptop to join AD domain on Windows 2008R2 Server.
here my configuration:
/etc/krb5.conf
[libdefaults]
default_realm = ACMEAD.COM
clockskew = 300
ticket_lifetime = 60d
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
[realms]
PRIMEURAD.COM = {
kdc = AD.ACME.COM:88
admin_server = AD.ACME.COM:749
default_domain = ACMEAD.COM
ticket_lifetime = 60d
}
[domain_realm]
.kerberos.server = ACMEAD.COM
.acmead.com = ACMEAD.COM
acmead.com = ACMEAD.COM
acmead = ACMEAD.COM
ticket_lifetime = 60d
[appdefaults]
pam = {
ticket_lifetime = 60d
renew_lifetime = 60d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmind.log
[login]
krb4_convert = true
krb4_get_tickets = false
/etc/samba/smb.conf
[global]
workgroup = primeurad
realm = primeurad.com
netbios name = lap-pc-1976
security = ADS
dns forwarder = 172.16.0.3
idmap config * : backend = tdb
idmap config *:range = 50000-1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = yes
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind cache time = 300
winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
preferred master = no
dns proxy = no
wins server = ad.primeur.com
wins proxy = no
inherit acls = Yes
acl group control = yes
load printers = no
debug level = 3
use sendfile = no
/etc/security/pam_winbind.conf
[global]
debug = no
debug_state = no
try_first_pass = yes
krb5_auth = yes
krb5_ccache_type = FILE
cached_login = yes
silent = no
# mkhomedir = yes
I'm able to login and authenticate my self. I add my PC to the domain with no problem. And I'm also able to login when I'm offline, which is what I want most. I'm trying to increase the ticket lifetime to 60days, now if I type klist this is what I see
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
07/11/2017 12:25:02 07/11/2017 22:25:02 krbtgt/[email protected]
renew until 07/18/2017 12:24:59
It seems to me that takes the default of 10h instead of 60 days. How can I increase it?
The Active Directory domain defaults take precedence here.
Best Practice would be to let the Maximum lifetime for Kerberos service ticket remain at the default of 10 hours. In various technical guides and Active Directory Group Policy, you will see that value written out as 600 minutes which is 10 hours, but shown as 600 minutes instead. I've never known why they did this. If you want to change the value, you will have to open up the Active Directory domain Group Policy Management Console tool (GPMC.msc) and edit the "Default Domain Policy" Group Policy Object. Once that GPO is opened, navigate to the following path, and change 600 minutes to its 60 day equivalent which would be 86400.
Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\Maximum lifetime for service ticket
Reference: Maximum lifetime for service ticket
Note that changing this this would considered a security risk, as it gives potential hackers that much more time to potentially decrypt the service ticket and use for themselves. Just google "silver ticket attack". This is why why 10 hours is set as the default. It is also the default for all major Identity Management implementations using Kerberos, not just Active Directory. It is considered a trade-off between security and usability. You also asked "I see I have to increase also the kerberos principal but not sure how to do it". What did you mean by that? Did you mean "service principal name"? Or the Ticket Granting Ticket? Or the user account? What do you mean by "increasing it?" If you meant about increasing other Kerberos ticket lifetimes, such as the Ticket Granting Ticket, AKA "user ticket", then you can also modify them in the same area of the GPO mentioned above. In that GPO, the Ticket Granting Ticket (TGT), is written as "user ticket". It has the same lifetime of 10 hours. The screenshot below is from my lab, showing everything at the defaults:
EDIT/UPDATE: To allow for offline logins to an AD domain-joined Windows PC when it is not connected to the network, or in case a domain controller is not available, you will have to allow for what is known as "cached credentials". This allows for the PC to re-use the service ticket and not be prompted to go get a new one. You can either do this on a one-off basis for a single machine, or domain-wide via a GPO. Both methods are described below:
For a single machine, just edit the Registry
For a domain-wide method, use a GPO
Note to the above: This setting would be ignored on a Linux OS joined to AD, since there is no Registry on Linux. In short, you cannot allow for cached (offline) logon to an AD domain for Linux laptops - that is a Windows OS-only feature.