[PATCH v3] fixes account locked when using winbind refresh tickets

Stefan Metzmacher metze at samba.org
Mon Jan 15 16:37:54 UTC 2018


Hi David,

>> some more high level questions (as I don't know how winbindd currently
>> behaves):
>> - do we try a renew of the existing ticket first?
> Yes, of course.
>> - what does Windows do in such situations?
> It DOES NOT attempt a password re-kinit. I personally think this
> situation is nonsense. We should never kinit with a cached password. The
> password cache is intended for offline authentication, not for
> authenticating a user without his/her knowledge just to indefinitely
> keep their tickets valid. Ticket renewal should do just that, renew
> tickets. Not kinit at random using the winbind password cache. I
> suggested removing/disabling this once before and received no response
> though, which is why I've taken this approach.

Sorry, that I missed that!

I'd also prefer to remove the code then.

Can you try to find out who added the password based re-kinit
and add the person to this thread?

Andreas and G√ľnther you're more familiar with winbindd setups on
clients, any comments on this?

Does anyone know if and how sssd handles this?

>> - can you explain how this is supposed to work in
>>   complex setups with a lot of domains including one way trusts?
> Don't know.
>> We're currently trying to get winbindd to a state where it doesn't
>> use LDAP and SAMR anymore, only NETLOGON and LSA LOOKUP *
>> via schannel secured connections to direct outgoing trusts,
>> by default.
> Then we should remove this, plus remove the cached password kinit.
> We really shouldn't be kiniting with the offline password cache at all,
> but if we *must* do this, then we *must not* do it without first
> checking whether our password has changed.

Yes, maybe we better add an option for this, enabled by default for <=
4.8 and change it to deprecate and disabled it for 4.9.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180115/9d1d6a20/signature.sig>


More information about the samba-technical mailing list