[PATCH v3] fixes account locked when using winbind refresh tickets
metze at samba.org
Mon Jan 15 16:37:54 UTC 2018
>> some more high level questions (as I don't know how winbindd currently
>> - do we try a renew of the existing ticket first?
> Yes, of course.
>> - what does Windows do in such situations?
> It DOES NOT attempt a password re-kinit. I personally think this
> situation is nonsense. We should never kinit with a cached password. The
> password cache is intended for offline authentication, not for
> authenticating a user without his/her knowledge just to indefinitely
> keep their tickets valid. Ticket renewal should do just that, renew
> tickets. Not kinit at random using the winbind password cache. I
> suggested removing/disabling this once before and received no response
> though, which is why I've taken this approach.
Sorry, that I missed that!
I'd also prefer to remove the code then.
Can you try to find out who added the password based re-kinit
and add the person to this thread?
Andreas and Günther you're more familiar with winbindd setups on
clients, any comments on this?
Does anyone know if and how sssd handles this?
>> - can you explain how this is supposed to work in
>> complex setups with a lot of domains including one way trusts?
> Don't know.
>> We're currently trying to get winbindd to a state where it doesn't
>> use LDAP and SAMR anymore, only NETLOGON and LSA LOOKUP *
>> via schannel secured connections to direct outgoing trusts,
>> by default.
> Then we should remove this, plus remove the cached password kinit.
> We really shouldn't be kiniting with the offline password cache at all,
> but if we *must* do this, then we *must not* do it without first
> checking whether our password has changed.
Yes, maybe we better add an option for this, enabled by default for <=
4.8 and change it to deprecate and disabled it for 4.9.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical