[PATCH] fixes account locked when using winbind refresh tickets

Ralph Böhme slow at samba.org
Fri Jan 12 09:58:25 UTC 2018


Hi David,

On Thu, Jan 11, 2018 at 04:45:06PM -0700, David Mulder via samba-technical wrote:
> Fixes bug 13212.
> 
> Lockouts were caused by winbind cached passwords being used to re-kinit
> users after a period of being offline (and tickets expiring), except
> that the password had been changed and caused badPwdCount to increase.
> This happening on multiple machines at once locked out the user accounts.

oh, good catch! Thanks.

There are some README.Coding issues around "Make use of helper variables". Can
you fix those please?

Does this hunk even compile:

+	if ((at_ptr = strchr(entry->principal_name, '@')) != NULL) {
+		int strlen = at_ptr-entry->principal_name;
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+		sam = talloc_zero_size(ctx, strlen+1);
+		strncpy(sam, entry->principal_name, strlen);
+	} else {
+		DEBUG(5,("Could not determine samAccountName from %s\n",
+			 entry->principal_name));
+		goto fail;
+	}

Also, why not use talloc_strndup()?

And would it be possible to reuse ads_idmap_cached_connection() instead of
rolling your own?

-slow

-- 
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/



More information about the samba-technical mailing list