[Bug 1037055] [NEW] winbind does not refresh kerberos tickets

Ian Gordon ian.gordon at strath.ac.uk
Wed Aug 15 10:58:24 UTC 2012 

Public bug reported:


winbindd will renew kerberos tickets until they expire, but it seems unable to refresh them before expiry.

I am using in smb.conf

winbind refresh ticket = true

and have cached_login set for pam_winbind

After 7 days ( the renewal limit on AD kerberos tickets) the ticket
expires and I lose access to my NFS home directory which uses sec=krb5

I have tried to debug why this is happening and have come to the
conclusion that there are to important variables for ticket refreshing
to work (both in winbind/winbindd_cred_cache.c):

ccache_list
memory_creds_list

and that the function that stores the password for later refreshing use
is called

winbindd_add_memory_creds

This function though requires that the user is ccache_list before it
stores the password in a way it can be used by the  rekinit part of the
function krb5_ticket_refresh_handler.

The problem as I see it is that winbind forks and the parent populates ccache_list and the child populates memory_creds_list.
This leads to the password not being stored in a way that can be used by the rekinit code in krb5_ticket_refresh_handler.

As a dirty hack (attached) I tried populating memory_creds_list from the
same location as ccache_list get populated (winbindd_raw_kerberos_login
in winbind/winbindd_pam.c).

This hack "fixes" the problem.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: winbind 2:3.6.3-2ubuntu2.3
ProcVersionSignature: Ubuntu 3.2.0-27.43-generic 3.2.21
Uname: Linux 3.2.0-27-generic x86_64
ApportVersion: 2.0.1-0ubuntu12
Architecture: amd64
Date: Wed Aug 15 11:30:27 2012
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
ProcEnviron:
 LANGUAGE=en_GB:en
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
SambaClientRegression: No
SourcePackage: samba
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.default.winbind: 2012-07-06T14:00:57
mtime.conffile..etc.init.d.winbind: 2012-07-06T14:00:57

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug precise

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1037055

Title:
  winbind does not refresh kerberos tickets

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1037055/+subscriptions

More information about the Ubuntu-server-bugs mailing list