Handling of kerberos machine account password changes (eg domain rejoin)
Andrew Bartlett
abartlet at samba.org
Thu Nov 1 07:15:28 MDT 2012
On Thu, 2012-11-01 at 07:22 +0100, Andrew Tridgell wrote:
> The branch, master has been updated
> via dd60dcf test-chgdcpass: test the ldap case for server password change
> via 0e6c5c0 s4-ldapclient: cope with logon failure retry in LDAP
> via b0cc0d5 s4-librpc: set error code to LOGON_FAILURE on RPC fault with access denied
> via 538dd04 samba-tool: "drs options" does not need a samdb connection
> via 5d6ae34 s4-librpc: try a 2nd logon for more error cases
> via fce66b2 test_chgdpass: added test for kerberos retry
> via d4ea637 libcli: use cli_credentials_failed_kerberos_login() to cope with server changes
> via 994696c auth: added cli_credentials_failed_kerberos_login()
> from ffb608b util: remove accidently committed hunk
>
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
Alexander,
I wanted to thank you for the chat we just had on IRC about these
kerberos changes. I think we have determined that it won't hit your use
case, because we are careful to only remove a ticket once we have some
evidence that the server it is for won't accept it.
We do take particular care not to just blow away the ccache, because we
might not have a password to recreate it (and it might, as in your
application have come from an external kinit or s4u2proxy call).
The reason for the change is to cope with the re-installation of a
kerberos host, where the rejoin to the domain has no record of the old
password, and so for up to 10 hours valid tickets in a ccache would be
rejected, without any attempt to get a fresh ticket.
That said, Kerberos can be a tricky beast, and I'm very happy to
continue to work with you to address any further concerns you might have
after your conference.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list