Fwd: Re: [PATCH v3] fixes account locked when using winbind refresh tickets

David Mulder dmulder at suse.com
Mon Jan 15 16:55:23 UTC 2018 

Bo Yang was the last to work on this code, but the original author isn't
clear due to an svn merge commit (0af1500fc0ba).

Bo, do you have any thoughts on disabling/removing the password kinit
code from the winbind cred cache? You were the last to do work on this
(f389b97c698a)?

-------- Forwarded Message --------
Subject: 	Re: [PATCH v3] fixes account locked when using winbind refresh
tickets
Date: 	Mon, 15 Jan 2018 17:37:54 +0100
From: 	Stefan Metzmacher <metze at samba.org>
To: 	David Mulder <dmulder at suse.com>, samba-technical
<samba-technical at lists.samba.org>, Ralph Böhme <slow at samba.org>, Jeremy
Allison <jra at samba.org>, Andreas Schneider <asn at samba.org>, Guenther
Deschner <gd at samba.org>, Sumit Bose <sbose at redhat.com>



Hi David,

>> some more high level questions (as I don't know how winbindd currently
>> behaves):
>> - do we try a renew of the existing ticket first?
> Yes, of course.
>> - what does Windows do in such situations?
> It DOES NOT attempt a password re-kinit. I personally think this
> situation is nonsense. We should never kinit with a cached password. The
> password cache is intended for offline authentication, not for
> authenticating a user without his/her knowledge just to indefinitely
> keep their tickets valid. Ticket renewal should do just that, renew
> tickets. Not kinit at random using the winbind password cache. I
> suggested removing/disabling this once before and received no response
> though, which is why I've taken this approach.

Sorry, that I missed that!

I'd also prefer to remove the code then.

Can you try to find out who added the password based re-kinit
and add the person to this thread?

Andreas and Günther you're more familiar with winbindd setups on
clients, any comments on this?

Does anyone know if and how sssd handles this?

>> - can you explain how this is supposed to work in
>>   complex setups with a lot of domains including one way trusts?
> Don't know.
>> We're currently trying to get winbindd to a state where it doesn't
>> use LDAP and SAMR anymore, only NETLOGON and LSA LOOKUP *
>> via schannel secured connections to direct outgoing trusts,
>> by default.
> Then we should remove this, plus remove the cached password kinit.
> We really shouldn't be kiniting with the offline password cache at all,
> but if we *must* do this, then we *must not* do it without first
> checking whether our password has changed.

Yes, maybe we better add an option for this, enabled by default for <=
4.8 and change it to deprecate and disabled it for 4.9.

metze

More information about the samba-technical mailing list