ads_cached_connection() in winbindd_ads.c: tickets expired?

Jeremy Allison jra at
Mon Mar 22 05:44:33 GMT 2004

On Sun, Mar 21, 2004 at 08:37:01PM -0700, Jim McDonough wrote:
> Ok, before I dig too far in this (which either takes 10 hours at a shot to
> reproduce it or I figure a way to make win2k give us short-lived tickets),
> I'd like a sanity check.  It appears to me that the tremendous performance
> gain of caching the connection via ads_cached_connection() in
> winbindd_ads.c comes with a price:  after the tickets expire, the cached
> connection is worthless.  It seems we need to periodically refresh this
> connection, no?  Maybe we need a timestamp and perhaps we can get ticket
> life info out of kerberos when we acquire the tickets?
> Or am I totally missing something here?  I've got a customer who is needing
> to restart winbindd every 10 hours, as the tickets expire...seems like we
> would have had complaints about this already, which is why I'm wondering if
> it's a setup issue.

Ok, what version of krb5 ? I see in the source code I have
handy here on my laptop (I'm in Utah all week - don't ask ! :-) 
in krb5/krb/get_in_tkt.c for version 1.2.6 (somewhat old I think)

    if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE))
        request.till += options->tkt_life;
        request.till += 10*60*60; /* this used to be hardcoded in kinit.c */

but the only way to set the KRB5_GET_INIT_CREDS_OPT_TKT_LIFE option
seems to be using a kinit -l option, not a krb5.conf parameter.

God - kerberos krb5.conf has significantly *worse* documentation
than smb.conf - it doesn't seem to have changed since I worked
on it in 1997 :-(.


More information about the samba-technical mailing list