[PATCH] Active Directory account locked when using winbind refresh tickets

Andreas Schneider asn at samba.org
Thu Nov 24 15:49:50 UTC 2016

On Wednesday, 23 November 2016 11:19:31 CET David Mulder wrote:
> Hi all,

Hello David,

> I'm new working on the SUSE Samba team.

welcome to the Samba world :)

> I've attached a patch here, and
> also posted a pull request at https://github.com/samba-team/samba. Which
> (if any?) is the preferred why to submit patches?

The preferred way is to send git-formatted signed-off patches to the mailing 
list. See



> This is to resolve an issue where user accounts get locked out due to
> winbind refreshing tickets using cached passwords (after the password
> has been modified, but the wrong password is still cached).
> It's my opinion that the password kinit should be disabled by default.
> Does anyone disagree?

I think so, G√ľnther?

However we need a better parameter name for that.
> I suspect I may need to add a check to krb5_ticket_gain_handler() also.

Looking at the patch I don't get the relation to krb5_ticket_gain_handler().



Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org

More information about the samba-technical mailing list