[PATCH v3] fixes account locked when using winbind refresh tickets

David Mulder dmulder at suse.com
Mon Jan 15 17:11:06 UTC 2018

This is the patch I proposed previously, which disables the kinit by
default, but provides an option for turning it back on.

On 01/15/2018 09:58 AM, Stefan Metzmacher via samba-technical wrote:
> Hi Alexander,
>>> Andreas and Günther you're more familiar with winbindd setups on
>>> clients, any comments on this?
>>> Does anyone know if and how sssd handles this?
>> SSSD does use cached password for offline authentication. It also uses
>> Kerberos ticket renewal if that is possible (R flag in the ticket).
>> Password-based re-kinit happens only at the point when PAM-driven
>> authentication happens at which point we are dealing with a new password
>> entered via PAM conversation. This is necessary due to 2FA support,
>> where a second (or multiple) tokens would be required for each
>> authentication attempt.
> Ok, that sounds useful and exactly how winbindd should also behave:-)
> Thanks!
> metze

David Mulder
SUSE Labs Software Engineer - Samba
dmulder at suse.com
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-winbindd-account-locked-when-using-winbind-refres.patch
Type: text/x-patch
Size: 3461 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180115/16d9a6d5/0001-s3-winbindd-account-locked-when-using-winbind-refres.bin>

More information about the samba-technical mailing list