[PATCH v3] fixes account locked when using winbind refresh tickets

Mon Jan 15 16:15:51 UTC 2018

On 01/15/2018 08:43 AM, Stefan Metzmacher wrote:
> Hi David,
>
> some more high level questions (as I don't know how winbindd currently
> behaves):
> - do we try a renew of the existing ticket first?
Yes, of course.
> - what does Windows do in such situations?
It DOES NOT attempt a password re-kinit. I personally think this
situation is nonsense. We should never kinit with a cached password. The
password cache is intended for offline authentication, not for
authenticating a user without his/her knowledge just to indefinitely
keep their tickets valid. Ticket renewal should do just that, renew
tickets. Not kinit at random using the winbind password cache. I
suggested removing/disabling this once before and received no response
though, which is why I've taken this approach.
> - can you explain how this is supposed to work in
>   complex setups with a lot of domains including one way trusts?
Don't know.
> We're currently trying to get winbindd to a state where it doesn't
> use LDAP and SAMR anymore, only NETLOGON and LSA LOOKUP *
> via schannel secured connections to direct outgoing trusts,
> by default.
Then we should remove this, plus remove the cached password kinit.
We really shouldn't be kiniting with the offline password cache at all,
but if we *must* do this, then we *must not* do it without first
checking whether our password has changed.
> metze
>
> Am 15.01.2018 um 15:52 schrieb David Mulder via samba-technical:
>> Touch ups recommended by Andreas (null initialize, helper variables, etc).
>>
>>  source3/libads/ads_ldap_protos.h       |   2 +
>>  source3/libads/ldap.c                  |  27 +++++++
>>  source3/winbindd/winbindd.h            |   1 +
>>  source3/winbindd/winbindd_cred_cache.c | 126
>> ++++++++++++++++++++++++++++-----
>>  source3/winbindd/winbindd_pam.c        |   6 +-
>>  source3/winbindd/winbindd_proto.h      |   3 +-
>>  6 files changed, 144 insertions(+), 21 deletions(-)
>>
>

-- 
David Mulder
SUSE Labs Software Engineer - Samba
dmulder at suse.com
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)