[Bug 1037055] Re: winbind does not refresh kerberos tickets

styro 1037055 at bugs.launchpad.net
Thu Feb 14 01:58:14 UTC 2013 

I've done some testing on machines with and without the new packages.

Conclusion: I think things have improved with the new packages.

More details:

It is hard to tell for sure as there are various things (eg using sudo,
or unlocking the desktop etc) other than winbind that will refresh the
Ticket Granting Ticket (TGT) and update/recreate the credentials cache.
This can mask the original problem.

I managed to shorten the Active Directory ticket lifetimes (1 hour) and
renewal periods (1 day) to the minimum to speed up testing. But after
this I noticed that tickets were no longer being renewed at all, and
expired tickets would stay in the credentials cache breaking
authentication. This was worse than the original problem.

On a machine without the updates installed, the original problem was
still happening even with the shorter ticket lifetimes. ie the
credentials cache and Ticket Granting Ticket disappearing before the TGT
reached it's renewal time limit. This problem never happened with the
updated packages though.

Suspecting that the expired ticket problem was caused by the extremely
short ticket lifetimes, I extended Active Directory ticket settings to
5hr expiry and 2 day renewal periods. This has slowed down testing a
bit, but seems to have made that new expired ticket problem go away. ie
tickets are now renewing properly again, and I haven't noticed the cache
disappearing before the TGTs renewal period was up.

So - things do seem improved with the new packages (provided stupidly
short ticket lifetimes aren't in use). The problem I encountered with
very short lifetimes is unrelated to this bug report.

But without a reliable way to reproduce the original problem, I still
can't be 100% certain that absence of evidence (not seeing the bug so
far) equates to evidence of absence (the bug has been fixed).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1037055

Title:
  winbind does not refresh kerberos tickets

Status in Samba:
  Fix Released
Status in “samba” package in Ubuntu:
  Confirmed

Bug description:
  winbindd will renew kerberos tickets until they expire, but it seems
  unable to refresh them before expiry.

  I have the following in smb.conf:

  winbind refresh ticket = true

  and have cached_login set for pam_winbind

  After 7 days ( the renewal limit on AD kerberos tickets) the ticket
  expires and I lose access to my NFS home directory which uses sec=krb5

  I have tried to debug why this is happening and have come to the
  conclusion that there are two important variables for ticket
  refreshing to work (both in winbind/winbindd_cred_cache.c):

  ccache_list
  memory_creds_list

  and that the function that stores the password for later refreshing
  use is called

  winbindd_add_memory_creds

  This function though requires that the user is in ccache_list before
  it stores the password in a way it can be used by the rekinit part of
  the function krb5_ticket_refresh_handler.

  The problem as I see it is that winbind forks and the parent populates ccache_list and the child populates memory_creds_list.
  This leads to the password not being stored in a way that can be used by the rekinit code in krb5_ticket_refresh_handler.

  As a dirty hack (attached) I tried populating memory_creds_list from
  the same location as ccache_list get populated
  (winbindd_raw_kerberos_login in winbind/winbindd_pam.c).

  This hack "fixes" the problem.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: winbind 2:3.6.3-2ubuntu2.3
  ProcVersionSignature: Ubuntu 3.2.0-27.43-generic 3.2.21
  Uname: Linux 3.2.0-27-generic x86_64
  ApportVersion: 2.0.1-0ubuntu12
  Architecture: amd64
  Date: Wed Aug 15 11:30:27 2012
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
  ProcEnviron:
   LANGUAGE=en_GB:en
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SambaClientRegression: No
  SourcePackage: samba
  UpgradeStatus: No upgrade log present (probably fresh install)
  mtime.conffile..etc.default.winbind: 2012-07-06T14:00:57
  mtime.conffile..etc.init.d.winbind: 2012-07-06T14:00:57

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1037055/+subscriptions

More information about the foundations-bugs mailing list