[Bug 1037055] Re: winbind does not refresh kerberos tickets

Sun Feb 17 20:00:11 UTC 2013

After further testing, I'm certain the updated packages have fixed the
bug.

Leaving two machines running logged in and idle over the weekend, the
unpatched machine lost its credential cache (again) while the patched
one succesfully renewed its TGT all weekend. And it also successfully
got a new one after the renewal limit was reached.

Thanks. It would be great if these updates could make their way into
precise and quantal. I gather raring already has them from upstream.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1037055

Title:
  winbind does not refresh kerberos tickets

Status in Samba:
  Fix Released
Status in “samba” package in Ubuntu:
  Confirmed

Bug description:
  winbindd will renew kerberos tickets until they expire, but it seems
  unable to refresh them before expiry.

  I have the following in smb.conf:

  winbind refresh ticket = true

  and have cached_login set for pam_winbind

  After 7 days ( the renewal limit on AD kerberos tickets) the ticket
  expires and I lose access to my NFS home directory which uses sec=krb5

  I have tried to debug why this is happening and have come to the
  conclusion that there are two important variables for ticket
  refreshing to work (both in winbind/winbindd_cred_cache.c):

  ccache_list
  memory_creds_list

  and that the function that stores the password for later refreshing
  use is called

  winbindd_add_memory_creds

  This function though requires that the user is in ccache_list before
  it stores the password in a way it can be used by the rekinit part of
  the function krb5_ticket_refresh_handler.

  The problem as I see it is that winbind forks and the parent populates ccache_list and the child populates memory_creds_list.
  This leads to the password not being stored in a way that can be used by the rekinit code in krb5_ticket_refresh_handler.

  As a dirty hack (attached) I tried populating memory_creds_list from
  the same location as ccache_list get populated
  (winbindd_raw_kerberos_login in winbind/winbindd_pam.c).

  This hack "fixes" the problem.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: winbind 2:3.6.3-2ubuntu2.3
  ProcVersionSignature: Ubuntu 3.2.0-27.43-generic 3.2.21
  Uname: Linux 3.2.0-27-generic x86_64
  ApportVersion: 2.0.1-0ubuntu12
  Architecture: amd64
  Date: Wed Aug 15 11:30:27 2012
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
  ProcEnviron:
   LANGUAGE=en_GB:en
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SambaClientRegression: No
  SourcePackage: samba
  UpgradeStatus: No upgrade log present (probably fresh install)
  mtime.conffile..etc.default.winbind: 2012-07-06T14:00:57
  mtime.conffile..etc.init.d.winbind: 2012-07-06T14:00:57

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1037055/+subscriptions