[PATCH v3] fixes account locked when using winbind refresh tickets

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Jan 16 08:16:26 UTC 2018

On Mon, Jan 15, 2018 at 05:37:54PM +0100, Stefan Metzmacher via samba-technical wrote:
> Hi David,
> >> some more high level questions (as I don't know how winbindd currently
> >> behaves):
> >> - do we try a renew of the existing ticket first?
> > Yes, of course.
> >> - what does Windows do in such situations?
> > It DOES NOT attempt a password re-kinit. I personally think this
> > situation is nonsense. We should never kinit with a cached password. The
> > password cache is intended for offline authentication, not for
> > authenticating a user without his/her knowledge just to indefinitely
> > keep their tickets valid. Ticket renewal should do just that, renew
> > tickets. Not kinit at random using the winbind password cache. I
> > suggested removing/disabling this once before and received no response
> > though, which is why I've taken this approach.
> Sorry, that I missed that!
> I'd also prefer to remove the code then.
> Can you try to find out who added the password based re-kinit
> and add the person to this thread?
> Andreas and Günther you're more familiar with winbindd setups on
> clients, any comments on this?

I do see a use case for long-running HPC jobs, but this is only for
specialized service accounts. If this is needed, see my comment in


Besuchen Sie die verinice.XP 2018 in Berlin,
Anwenderkonferenz für Informationssicherheit
vom 21.-23.03.2018 im Sofitel Kurfürstendamm
Info & Anmeldung hier: http://veriniceXP.org

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba-technical mailing list