[PATCH v3] fixes account locked when using winbind refresh tickets

Alexander Bokovoy ab at samba.org
Mon Jan 15 16:53:55 UTC 2018


On ma, 15 tammi 2018, Stefan Metzmacher via samba-technical wrote:
> Hi David,
> 
> >> some more high level questions (as I don't know how winbindd currently
> >> behaves):
> >> - do we try a renew of the existing ticket first?
> > Yes, of course.
> >> - what does Windows do in such situations?
> > It DOES NOT attempt a password re-kinit. I personally think this
> > situation is nonsense. We should never kinit with a cached password. The
> > password cache is intended for offline authentication, not for
> > authenticating a user without his/her knowledge just to indefinitely
> > keep their tickets valid. Ticket renewal should do just that, renew
> > tickets. Not kinit at random using the winbind password cache. I
> > suggested removing/disabling this once before and received no response
> > though, which is why I've taken this approach.
> 
> Sorry, that I missed that!
> 
> I'd also prefer to remove the code then.
> 
> Can you try to find out who added the password based re-kinit
> and add the person to this thread?
> 
> Andreas and G√ľnther you're more familiar with winbindd setups on
> clients, any comments on this?
> 
> Does anyone know if and how sssd handles this?
SSSD does use cached password for offline authentication. It also uses
Kerberos ticket renewal if that is possible (R flag in the ticket).
Password-based re-kinit happens only at the point when PAM-driven
authentication happens at which point we are dealing with a new password
entered via PAM conversation. This is necessary due to 2FA support,
where a second (or multiple) tokens would be required for each
authentication attempt.

-- 
/ Alexander Bokovoy



More information about the samba-technical mailing list