[PATCH] s3:winbindd: Active Directory account locked when using winbind refresh tickets
David Mulder
dmulder at suse.com
Wed Dec 14 17:43:41 UTC 2016
This is to resolve an issue where user accounts get locked out due to winbind refreshing tickets using cached passwords (after the password has been modified, but the wrong password is still cached).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12443
Signed-off-by: David Mulder <dmulder at suse.com>
---
docs-xml/smbdotconf/winbind/winbindpasswordkinit.xml | 16 ++++++++++++++++
source3/param/loadparm.c | 1 +
source3/winbindd/winbindd_cred_cache.c | 11 +++++++++--
3 files changed, 26 insertions(+), 2 deletions(-)
create mode 100644 docs-xml/smbdotconf/winbind/winbindpasswordkinit.xml
diff --git a/docs-xml/smbdotconf/winbind/winbindpasswordkinit.xml b/docs-xml/smbdotconf/winbind/winbindpasswordkinit.xml
new file mode 100644
index 0000000..179b4f7
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindpasswordkinit.xml
@@ -0,0 +1,16 @@
+<samba:parameter name="winbind password kinit"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>This parameter controls whether Winbind will use cached passwords to refresh Kerberos
+ Tickets retrieved using the <parameter moreinfo="none">pam_winbind</parameter> module. This
+ option requires that <smbconfoption name="winbind refresh tickets"/> also be enabled.
+
+</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index d8da749..f82d8c6 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -812,6 +812,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.winbind_expand_groups = 0;
Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
Globals.winbind_refresh_tickets = false;
+ Globals.winbind_password_kinit = false;
Globals.winbind_offline_logon = false;
Globals.idmap_cache_time = 86400 * 7; /* a week by default */
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index 20b4d55..0c1168d 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -129,11 +129,15 @@ static void krb5_ticket_refresh_handler(struct tevent_context *event_ctx,
/* Kinit again if we have the user password and we can't renew the old
* tgt anymore
* NB
- * This happens when machine are put to sleep for a very long time. */
+ * This happens when machines are put to sleep for a very long time.
+ *
+ * Optionally disable this, since using cached passwords to kinit can
+ * lockout a user account if their password has changed.
+ * dmulder */
if (entry->renew_until < time(NULL)) {
rekinit:
- if (cred_ptr && cred_ptr->pass) {
+ if (cred_ptr && cred_ptr->pass && lp_winbind_password_kinit()) {
set_effective_uid(entry->uid);
@@ -319,6 +323,9 @@ static void krb5_ticket_gain_handler(struct tevent_context *event_ctx,
#ifdef HAVE_KRB5
+ if (!lp_winbind_password_kinit())
+ return;
+
if (!cred_ptr || !cred_ptr->pass) {
DEBUG(10,("krb5_ticket_gain_handler: no memory creds\n"));
return;
--
2.10.2
More information about the samba-technical
mailing list