[PATCH] Bug 13212 - Active Directory account randomly locked when using 'winbind refresh tickets'
David Mulder
dmulder at suse.com
Mon Dec 3 20:35:59 UTC 2018
This fell on the back burner for a while for me, but recently came up
again.
This new patch creates a new smb.conf option 'winbind cached passwd
renew', which by default is *, meaning all principal names, but can be
set to a list of specific UPNs for which to use cached passwords for
kinit. The current default behavior causes user accounts to sometimes
become locked out, if their creds have expired and are passed renewal
lifetime, and if the user's account has expired. Getting to this state
is rare, but people notice it a couple times a year it seems.
The default for now is to keep the existing behavior, but in the future
this option should change to an empty list (default to don't do this
unless specifically requested for specific accounts).
docs-xml/smbdotconf/winbind/winbindcachedpasswdrenew.xml | 16
+++++++++++
source3/param/loadparm.c | 2 ++
source3/winbindd/winbindd_cred_cache.c | 61
+++++++++++++++++++++++++++++++----------
3 files changed, 65 insertions(+), 14 deletions(-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bug13212.patch
Type: text/x-patch
Size: 4440 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20181203/39a77d71/bug13212.bin>
More information about the samba-technical
mailing list