[PATCH v3] fixes account locked when using winbind refresh tickets
dmulder at suse.com
Mon Jan 15 16:15:51 UTC 2018
On 01/15/2018 08:43 AM, Stefan Metzmacher wrote:
> Hi David,
> some more high level questions (as I don't know how winbindd currently
> - do we try a renew of the existing ticket first?
Yes, of course.
> - what does Windows do in such situations?
It DOES NOT attempt a password re-kinit. I personally think this
situation is nonsense. We should never kinit with a cached password. The
password cache is intended for offline authentication, not for
authenticating a user without his/her knowledge just to indefinitely
keep their tickets valid. Ticket renewal should do just that, renew
tickets. Not kinit at random using the winbind password cache. I
suggested removing/disabling this once before and received no response
though, which is why I've taken this approach.
> - can you explain how this is supposed to work in
> complex setups with a lot of domains including one way trusts?
> We're currently trying to get winbindd to a state where it doesn't
> use LDAP and SAMR anymore, only NETLOGON and LSA LOOKUP *
> via schannel secured connections to direct outgoing trusts,
> by default.
Then we should remove this, plus remove the cached password kinit.
We really shouldn't be kiniting with the offline password cache at all,
but if we *must* do this, then we *must not* do it without first
checking whether our password has changed.
> Am 15.01.2018 um 15:52 schrieb David Mulder via samba-technical:
>> Touch ups recommended by Andreas (null initialize, helper variables, etc).
>> source3/libads/ads_ldap_protos.h | 2 +
>> source3/libads/ldap.c | 27 +++++++
>> source3/winbindd/winbindd.h | 1 +
>> source3/winbindd/winbindd_cred_cache.c | 126
>> source3/winbindd/winbindd_pam.c | 6 +-
>> source3/winbindd/winbindd_proto.h | 3 +-
>> 6 files changed, 144 insertions(+), 21 deletions(-)
SUSE Labs Software Engineer - Samba
dmulder at suse.com
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
More information about the samba-technical