** Description changed: - winbindd will renew kerberos tickets until they expire, but it seems - unable to refresh them before expiry. + [Impact] + * If it happens on the client, the client can't authenticate to any kerberised servers (Windows or Linux). + * If it happens on the server, all clients (Windows or Linux) are unable to connect to that server any more. + * The main impact is very flaky network authentication on an LTS release that we will have to live with for a few more years. + + [Workaround] + On the desktop run kinit to create a new ticket cache, or on a server restart the winbind daemon after logging in with a local account. This usually needs to be done once or twice a week on my desktop, but less frequently on servers. + + [Test Case] + Requires an AD domain with winbind configured to use it. + Use winbind refresh ticket = true + Set cached_login for pam_winbind + ??? + + [Original Description] + + + winbindd will renew kerberos tickets until they expire, but it seems unable to refresh them before expiry. I have the following in smb.conf: winbind refresh ticket = true and have cached_login set for pam_winbind After 7 days ( the renewal limit on AD kerberos tickets) the ticket expires and I lose access to my NFS home directory which uses sec=krb5 I have tried to debug why this is happening and have come to the conclusion that there are two important variables for ticket refreshing to work (both in winbind/winbindd_cred_cache.c): ccache_list memory_creds_list and that the function that stores the password for later refreshing use is called winbindd_add_memory_creds This function though requires that the user is in ccache_list before it stores the password in a way it can be used by the rekinit part of the function krb5_ticket_refresh_handler. The problem as I see it is that winbind forks and the parent populates ccache_list and the child populates memory_creds_list. This leads to the password not being stored in a way that can be used by the rekinit code in krb5_ticket_refresh_handler. As a dirty hack (attached) I tried populating memory_creds_list from the same location as ccache_list get populated (winbindd_raw_kerberos_login in winbind/winbindd_pam.c). This hack "fixes" the problem. ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: winbind 2:3.6.3-2ubuntu2.3 ProcVersionSignature: Ubuntu 3.2.0-27.43-generic 3.2.21 Uname: Linux 3.2.0-27-generic x86_64 ApportVersion: 2.0.1-0ubuntu12 Architecture: amd64 Date: Wed Aug 15 11:30:27 2012 InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425) ProcEnviron: LANGUAGE=en_GB:en TERM=xterm PATH=(custom, no user) LANG=en_GB.UTF-8 SHELL=/bin/bash SambaClientRegression: No SourcePackage: samba UpgradeStatus: No upgrade log present (probably fresh install) mtime.conffile..etc.default.winbind: 2012-07-06T14:00:57 mtime.conffile..etc.init.d.winbind: 2012-07-06T14:00:57
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037055 Title: winbind does not refresh kerberos tickets To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/1037055/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
