[PATCH] krb5 ticket refresh after suspend and winbindd goes from offline to online

Andreas Schneider anschneider at suse.de
Wed Dec 17 10:11:13 GMT 2008

On Wednesday 17 December 2008 06:27:04 boyang wrote:
> Hi, everyone:

Hi Bo,

>       2. The krb5 ticket must be refreshed. But the
> krb5_ticket_refresh_handler might not fired as soon as possible. There
> can be 5 minutes lag between ticket refresh and winbindd goes online.
> Apps(smbspool) relying on krb5 ticket suffers from this, we must ensure
> that ticket is refreshed as soon as winbindd goes online. [in
> winbindd_cm.c] 3. krb5 ticket refresh chain is broken in
> krb5_ticket_refresh_handler(). when KDC is unreachable, we have to keep
> the krb5 ticket refresh handler. [in winbindd_cred_cache.c]

I looked at the patches and thought about the problem. Your patches are fine. 
I just think there is an additional case.

Lets assume we come back from suspend. We login again and normally the 
kerberos tickets get refreshed, but we can't do this so the expired tickets 
are still available in the ccache. Then we get a network connection, but we 
still can't connect to the ADS and refresh some tickets.

Then the user connects to the ADS network (maybe a network link was broken or 
he opened a vpn connection) and can access the servers. If he tries to connect 
to server now which needs kerberos authentication, the expired tickets will be 

Shouldn't the expired tickets be removed if we can't refresh them?

	-- andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.samba.org/archive/samba-technical/attachments/20081217/30e5ac94/attachment.bin

More information about the samba-technical mailing list