[PATCH] Active Directory account locked when using winbind refresh tickets

David Mulder dmulder at suse.com
Mon Nov 28 13:58:44 UTC 2016

On 11/24/2016 08:49 AM, Andreas Schneider wrote:
> On Wednesday, 23 November 2016 11:19:31 CET David Mulder wrote:
>> Hi all,
> Hello David,
>> I'm new working on the SUSE Samba team.
> welcome to the Samba world :)
>> I've attached a patch here, and
>> also posted a pull request at https://github.com/samba-team/samba. Which
>> (if any?) is the preferred why to submit patches?
> The preferred way is to send git-formatted signed-off patches to the mailing
> list. See
> https://wiki.samba.org/index.php/Contribute#How_to_Provide_C_Patches_for_Samba
> https://www.samba.org/samba/devel/copyright-policy.html
>> This is to resolve an issue where user accounts get locked out due to
>> winbind refreshing tickets using cached passwords (after the password
>> has been modified, but the wrong password is still cached).
>> It's my opinion that the password kinit should be disabled by default.
>> Does anyone disagree?
> I think so, Günther?
I talked with Guenther on IRC about adding this option, but we didn't 
talk about what the default should be.
> However we need a better parameter name for that.
I didn't like the parameter name either. Does anyone have a better 
>> I suspect I may need to add a check to krb5_ticket_gain_handler() also.
> Looking at the patch I don't get the relation to krb5_ticket_gain_handler().

krb5_ticket_gain_handler() also calls kerberos_kinit_password_ext() and 
kinits with a password. It's not the same code path though, and I'm not 
familiar with what krb5_ticket_gain_handler()
  does. So, I suspect we should also handle that situation (whatever 
leads us there).

David Mulder
SUSE Labs Software Engineer - Samba
dmulder at suse.com
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

More information about the samba-technical mailing list