[PATCH] s3:winbindd: Active Directory account locked when using winbind refresh tickets

David Mulder dmulder at suse.com
Fri Jan 13 20:29:53 UTC 2017


ping


On 12/14/2016 10:43 AM, David Mulder wrote:
> This is to resolve an issue where user accounts get locked out due to winbind refreshing tickets using cached passwords (after the password has been modified, but the wrong password is still cached).
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12443
>
> Signed-off-by: David Mulder <dmulder at suse.com>
> ---
>   docs-xml/smbdotconf/winbind/winbindpasswordkinit.xml | 16 ++++++++++++++++
>   source3/param/loadparm.c                             |  1 +
>   source3/winbindd/winbindd_cred_cache.c               | 11 +++++++++--
>   3 files changed, 26 insertions(+), 2 deletions(-)
>   create mode 100644 docs-xml/smbdotconf/winbind/winbindpasswordkinit.xml
>
> diff --git a/docs-xml/smbdotconf/winbind/winbindpasswordkinit.xml b/docs-xml/smbdotconf/winbind/winbindpasswordkinit.xml
> new file mode 100644
> index 0000000..179b4f7
> --- /dev/null
> +++ b/docs-xml/smbdotconf/winbind/winbindpasswordkinit.xml
> @@ -0,0 +1,16 @@
> +<samba:parameter name="winbind password kinit"
> +                 context="G"
> +                 type="boolean"
> +                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> +<description>
> +
> +	<para>This parameter controls whether Winbind will use cached passwords to refresh Kerberos
> +	Tickets retrieved using the <parameter moreinfo="none">pam_winbind</parameter> module. This
> +	option requires that <smbconfoption name="winbind refresh tickets"/> also be enabled.
> +
> +</para>
> +</description>
> +
> +<value type="default">no</value>
> +<value type="example">yes</value>
> +</samba:parameter>
> diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> index d8da749..f82d8c6 100644
> --- a/source3/param/loadparm.c
> +++ b/source3/param/loadparm.c
> @@ -812,6 +812,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
>   	Globals.winbind_expand_groups = 0;
>   	Globals.winbind_nss_info = str_list_make_v3_const(NULL, "template", NULL);
>   	Globals.winbind_refresh_tickets = false;
> +	Globals.winbind_password_kinit = false;
>   	Globals.winbind_offline_logon = false;
>   
>   	Globals.idmap_cache_time = 86400 * 7; /* a week by default */
> diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
> index 20b4d55..0c1168d 100644
> --- a/source3/winbindd/winbindd_cred_cache.c
> +++ b/source3/winbindd/winbindd_cred_cache.c
> @@ -129,11 +129,15 @@ static void krb5_ticket_refresh_handler(struct tevent_context *event_ctx,
>   	/* Kinit again if we have the user password and we can't renew the old
>   	 * tgt anymore
>   	 * NB
> -	 * This happens when machine are put to sleep for a very long time. */
> +	 * This happens when machines are put to sleep for a very long time.
> +	 *
> +	 * Optionally disable this, since using cached passwords to kinit can
> +	 * lockout a user account if their password has changed.
> +	 * dmulder */
>   
>   	if (entry->renew_until < time(NULL)) {
>   rekinit:
> -		if (cred_ptr && cred_ptr->pass) {
> +		if (cred_ptr && cred_ptr->pass && lp_winbind_password_kinit()) {
>   
>   			set_effective_uid(entry->uid);
>   
> @@ -319,6 +323,9 @@ static void krb5_ticket_gain_handler(struct tevent_context *event_ctx,
>   
>   #ifdef HAVE_KRB5
>   
> +	if (!lp_winbind_password_kinit())
> +		return;
> +
>   	if (!cred_ptr || !cred_ptr->pass) {
>   		DEBUG(10,("krb5_ticket_gain_handler: no memory creds\n"));
>   		return;

-- 
David Mulder
SUSE Labs Software Engineer - Samba
dmulder at suse.com
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton, HRB 21284 (AG N├╝rnberg)





More information about the samba-technical mailing list