[PATCH v3] fixes account locked when using winbind refresh tickets
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Jan 16 08:16:26 UTC 2018
On Mon, Jan 15, 2018 at 05:37:54PM +0100, Stefan Metzmacher via samba-technical wrote:
> Hi David,
>
> >> some more high level questions (as I don't know how winbindd currently
> >> behaves):
> >> - do we try a renew of the existing ticket first?
> > Yes, of course.
> >> - what does Windows do in such situations?
> > It DOES NOT attempt a password re-kinit. I personally think this
> > situation is nonsense. We should never kinit with a cached password. The
> > password cache is intended for offline authentication, not for
> > authenticating a user without his/her knowledge just to indefinitely
> > keep their tickets valid. Ticket renewal should do just that, renew
> > tickets. Not kinit at random using the winbind password cache. I
> > suggested removing/disabling this once before and received no response
> > though, which is why I've taken this approach.
>
> Sorry, that I missed that!
>
> I'd also prefer to remove the code then.
>
> Can you try to find out who added the password based re-kinit
> and add the person to this thread?
>
> Andreas and Günther you're more familiar with winbindd setups on
> clients, any comments on this?
I do see a use case for long-running HPC jobs, but this is only for
specialized service accounts. If this is needed, see my comment in
https://bugzilla.samba.org/show_bug.cgi?id=13212#c6
Volker
--
Besuchen Sie die verinice.XP 2018 in Berlin,
Anwenderkonferenz für Informationssicherheit
vom 21.-23.03.2018 im Sofitel Kurfürstendamm
Info & Anmeldung hier: http://veriniceXP.org
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list