[PATCH] Active Directory account locked when using winbind refresh tickets
David Mulder
dmulder at suse.com
Mon Nov 28 13:58:44 UTC 2016
On 11/24/2016 08:49 AM, Andreas Schneider wrote:
> On Wednesday, 23 November 2016 11:19:31 CET David Mulder wrote:
>> Hi all,
> Hello David,
>
>> I'm new working on the SUSE Samba team.
> welcome to the Samba world :)
>
>> I've attached a patch here, and
>> also posted a pull request at https://github.com/samba-team/samba. Which
>> (if any?) is the preferred why to submit patches?
> The preferred way is to send git-formatted signed-off patches to the mailing
> list. See
>
> https://wiki.samba.org/index.php/Contribute#How_to_Provide_C_Patches_for_Samba
>
> https://www.samba.org/samba/devel/copyright-policy.html
>
>> This is to resolve an issue where user accounts get locked out due to
>> winbind refreshing tickets using cached passwords (after the password
>> has been modified, but the wrong password is still cached).
>>
>> It's my opinion that the password kinit should be disabled by default.
>> Does anyone disagree?
> I think so, Günther?
I talked with Guenther on IRC about adding this option, but we didn't
talk about what the default should be.
>
> However we need a better parameter name for that.
>
I didn't like the parameter name either. Does anyone have a better
suggestion?
>> I suspect I may need to add a check to krb5_ticket_gain_handler() also.
>
> Looking at the patch I don't get the relation to krb5_ticket_gain_handler().
krb5_ticket_gain_handler() also calls kerberos_kinit_password_ext() and
kinits with a password. It's not the same code path though, and I'm not
familiar with what krb5_ticket_gain_handler()
does. So, I suspect we should also handle that situation (whatever
leads us there).
--
David Mulder
SUSE Labs Software Engineer - Samba
dmulder at suse.com
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
More information about the samba-technical
mailing list