[PATCH v3] fixes account locked when using winbind refresh tickets

Stefan Metzmacher metze at samba.org
Mon Jan 15 16:58:29 UTC 2018


Hi Alexander,

>> Andreas and G√ľnther you're more familiar with winbindd setups on
>> clients, any comments on this?
>>
>> Does anyone know if and how sssd handles this?
> SSSD does use cached password for offline authentication. It also uses
> Kerberos ticket renewal if that is possible (R flag in the ticket).
> Password-based re-kinit happens only at the point when PAM-driven
> authentication happens at which point we are dealing with a new password
> entered via PAM conversation. This is necessary due to 2FA support,
> where a second (or multiple) tokens would be required for each
> authentication attempt.

Ok, that sounds useful and exactly how winbindd should also behave:-)

Thanks!
metze


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180115/b1322a6f/signature.sig>


More information about the samba-technical mailing list