Handling of kerberos machine account password changes (eg domain rejoin)

Andrew Bartlett abartlet at samba.org
Thu Nov 1 07:15:28 MDT 2012

On Thu, 2012-11-01 at 07:22 +0100, Andrew Tridgell wrote:
> The branch, master has been updated
>        via  dd60dcf test-chgdcpass: test the ldap case for server password change
>        via  0e6c5c0 s4-ldapclient: cope with logon failure retry in LDAP
>        via  b0cc0d5 s4-librpc: set error code to LOGON_FAILURE on RPC fault with access denied
>        via  538dd04 samba-tool: "drs options" does not need a samdb connection
>        via  5d6ae34 s4-librpc: try a 2nd logon for more error cases

>        via  fce66b2 test_chgdpass: added test for kerberos retry
>        via  d4ea637 libcli: use cli_credentials_failed_kerberos_login() to cope with server changes
>        via  994696c auth: added cli_credentials_failed_kerberos_login()
>       from  ffb608b util: remove accidently committed hunk
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


I wanted to thank you for the chat we just had on IRC about these
kerberos changes.  I think we have determined that it won't hit your use
case, because we are careful to only remove a ticket once we have some
evidence that the server it is for won't accept it.  

We do take particular care not to just blow away the ccache, because we
might not have a password to recreate it (and it might, as in your
application have come from an external kinit or s4u2proxy call).

The reason for the change is to cope with the re-installation of a
kerberos host, where the rejoin to the domain has no record of the old
password, and so for up to 10 hours valid tickets in a ccache would be
rejected, without any attempt to get a fresh ticket. 

That said, Kerberos can be a tricky beast, and I'm very happy to
continue to work with you to address any further concerns you might have
after your conference.  


Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list