Bug 52987 - Kerberos Ticket lifetime should be configurable
Kerberos Ticket lifetime should be configurable
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Kerberos
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-1-errata
Assigned To: Iván.Delgado
Julia Bremer
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-03-25 17:13 CET by Julia Bremer
Modified: 2022-01-05 17:44 CET (History)
4 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021102121000452, 2021032221000697
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Julia Bremer univentionstaff 2021-03-25 17:13:13 CET
The kerberos ticket lifetime can be configured. 
In Heimdal, it can be configured by adding ticket_lifetime to /etc/krb5.conf
under libdefaults

[libdefaults]
    ticket_lifetime = 20h


In samba, this line has to be inserted into sam.ldb
kdc:user ticket lifetime = 20


We should add an UCR variable for this.
Comment 2 Mário Santiago univentionstaff 2021-10-25 09:41:38 CEST
Requested by https://help.univention.com/t/kerberos-principal-lifetime/17753/2
Comment 3 Arvid Requate univentionstaff 2021-12-29 20:48:30 CET
Ok, out of curiosity I just checked, where this is handled in samba and
found that lib/param/util.c also defines "kdc:service ticket lifetime".

So I compared to vanilla Heimdal KDC code and it seems right that the
"ticket_lifetime" parameter in krb5.conf only corresponds to the
"kdc:user ticket lifetime" in smb.conf, see e.g.:

https://comp.protocols.kerberos.narkive.com/mrdP4J69/kerberos-ticket-lifetime-in-heimdal

Also interesting: man smb.conf # / gpo update command
But apparently that was an experimental GSOC effort that hasn't been followed
up yet. If activated properly it seems to write a file gpext.conf, but for that
a corresponding include statement would have to be added to smb.conf.

So, that's just a couple of observations which don't affect the fix at all.
Comment 4 Iván.Delgado univentionstaff 2022-01-04 08:35:22 CET
I've made configurable the ticket lifetime.

8839a71114
2d8ec08389
22c7a7f025
922b9428d6
c3bc4063c8
c53c8e5d27

univention-samba4: 9.0.6-7A~5.0.0.202201040825
univention-heimdal:13.0.3-3A~5.0.0.202201040823
ucs-test: 10.0.6-91A~5.0.0.202201040828
Comment 5 Julia Bremer univentionstaff 2022-01-05 10:51:48 CET
OK: UCR variable changes kerberos ticket lifetime with heimdal
OK: UCR variable changes kerberos ticket lifetime with samba
OK: UCR variable description
OK: Only configurable in hours
OK: Tests

I adjusted your yaml files. ucs-test doesn't need a yaml file, since it is an unmaintained package. 
I changed the others for readability.

aa50fc85db Bug #52987: adjust advisory text
e4467d4526 Bug #52987: No yaml file needed for ucs-test

Verified