[Bug 1037055] Re: winbind does not refresh kerberos tickets
Ian Gordon
ian.gordon at strath.ac.uk
Wed Aug 15 11:08:54 UTC 2012
** Description changed:
+ winbindd will renew kerberos tickets until they expire, but it seems
+ unable to refresh them before expiry.
- winbindd will renew kerberos tickets until they expire, but it seems unable to refresh them before expiry.
-
- I am using in smb.conf
+ I have the following in smb.conf:
winbind refresh ticket = true
and have cached_login set for pam_winbind
After 7 days ( the renewal limit on AD kerberos tickets) the ticket
expires and I lose access to my NFS home directory which uses sec=krb5
I have tried to debug why this is happening and have come to the
- conclusion that there are to important variables for ticket refreshing
+ conclusion that there are two important variables for ticket refreshing
to work (both in winbind/winbindd_cred_cache.c):
ccache_list
memory_creds_list
and that the function that stores the password for later refreshing use
is called
winbindd_add_memory_creds
- This function though requires that the user is ccache_list before it
- stores the password in a way it can be used by the rekinit part of the
+ This function though requires that the user is in ccache_list before it
+ stores the password in a way it can be used by the rekinit part of the
function krb5_ticket_refresh_handler.
The problem as I see it is that winbind forks and the parent populates ccache_list and the child populates memory_creds_list.
This leads to the password not being stored in a way that can be used by the rekinit code in krb5_ticket_refresh_handler.
As a dirty hack (attached) I tried populating memory_creds_list from the
same location as ccache_list get populated (winbindd_raw_kerberos_login
in winbind/winbindd_pam.c).
This hack "fixes" the problem.
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: winbind 2:3.6.3-2ubuntu2.3
ProcVersionSignature: Ubuntu 3.2.0-27.43-generic 3.2.21
Uname: Linux 3.2.0-27-generic x86_64
ApportVersion: 2.0.1-0ubuntu12
Architecture: amd64
Date: Wed Aug 15 11:30:27 2012
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
ProcEnviron:
- LANGUAGE=en_GB:en
- TERM=xterm
- PATH=(custom, no user)
- LANG=en_GB.UTF-8
- SHELL=/bin/bash
+ LANGUAGE=en_GB:en
+ TERM=xterm
+ PATH=(custom, no user)
+ LANG=en_GB.UTF-8
+ SHELL=/bin/bash
SambaClientRegression: No
SourcePackage: samba
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.default.winbind: 2012-07-06T14:00:57
mtime.conffile..etc.init.d.winbind: 2012-07-06T14:00:57
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1037055
Title:
winbind does not refresh kerberos tickets
Status in “samba” package in Ubuntu:
New
Bug description:
winbindd will renew kerberos tickets until they expire, but it seems
unable to refresh them before expiry.
I have the following in smb.conf:
winbind refresh ticket = true
and have cached_login set for pam_winbind
After 7 days ( the renewal limit on AD kerberos tickets) the ticket
expires and I lose access to my NFS home directory which uses sec=krb5
I have tried to debug why this is happening and have come to the
conclusion that there are two important variables for ticket
refreshing to work (both in winbind/winbindd_cred_cache.c):
ccache_list
memory_creds_list
and that the function that stores the password for later refreshing
use is called
winbindd_add_memory_creds
This function though requires that the user is in ccache_list before
it stores the password in a way it can be used by the rekinit part of
the function krb5_ticket_refresh_handler.
The problem as I see it is that winbind forks and the parent populates ccache_list and the child populates memory_creds_list.
This leads to the password not being stored in a way that can be used by the rekinit code in krb5_ticket_refresh_handler.
As a dirty hack (attached) I tried populating memory_creds_list from
the same location as ccache_list get populated
(winbindd_raw_kerberos_login in winbind/winbindd_pam.c).
This hack "fixes" the problem.
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: winbind 2:3.6.3-2ubuntu2.3
ProcVersionSignature: Ubuntu 3.2.0-27.43-generic 3.2.21
Uname: Linux 3.2.0-27-generic x86_64
ApportVersion: 2.0.1-0ubuntu12
Architecture: amd64
Date: Wed Aug 15 11:30:27 2012
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
ProcEnviron:
LANGUAGE=en_GB:en
TERM=xterm
PATH=(custom, no user)
LANG=en_GB.UTF-8
SHELL=/bin/bash
SambaClientRegression: No
SourcePackage: samba
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.default.winbind: 2012-07-06T14:00:57
mtime.conffile..etc.init.d.winbind: 2012-07-06T14:00:57
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1037055/+subscriptions
More information about the foundations-bugs
mailing list