[PATCH] Bug 13212 - Active Directory account randomly locked when using 'winbind refresh tickets'

David Mulder dmulder at suse.com
Mon Dec 3 20:35:59 UTC 2018


This fell on the back burner for a while for me, but recently came up 
again.
This new patch creates a new smb.conf option 'winbind cached passwd 
renew', which by default is *, meaning all principal names, but can be 
set to a list of specific UPNs for which to use cached passwords for 
kinit. The current default behavior causes user accounts to sometimes 
become locked out, if their creds have expired and are passed renewal 
lifetime, and if the user's account has expired. Getting to this state 
is rare, but people notice it a couple times a year it seems.
The default for now is to keep the existing behavior, but in the future 
this option should change to an empty list (default to don't do this 
unless specifically requested for specific accounts).

 docs-xml/smbdotconf/winbind/winbindcachedpasswdrenew.xml | 16 
+++++++++++
 source3/param/loadparm.c                                 |  2 ++
 source3/winbindd/winbindd_cred_cache.c                   | 61 
+++++++++++++++++++++++++++++++----------
 3 files changed, 65 insertions(+), 14 deletions(-)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bug13212.patch
Type: text/x-patch
Size: 4440 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20181203/39a77d71/bug13212.bin>


More information about the samba-technical mailing list