[Bug 1037055] Re: winbind does not refresh kerberos tickets

styro 1037055 at bugs.launchpad.net
Wed Mar 20 23:21:24 UTC 2013 

** Description changed:

  [Impact]
  * If it happens on the client, the client can't authenticate to any kerberised servers (Windows or Linux).
  * If it happens on the server, all clients (Windows or Linux) are unable to connect to that server any more.
  * The main impact is very flaky network authentication on an LTS release that we will have to live with for a few more years.
  
  [Workaround]
  On the desktop run kinit to create a new ticket cache, or on a server restart the winbind daemon after logging in with a local account. This usually needs to be done once or twice a week on my desktop, but less frequently on servers.
  
  [Test Case]
- Requires an AD domain with winbind configured to use it.
+ Requires an AD (or Samba 4?) domain with winbind configured to use it.
  Use winbind refresh ticket = true
- Set cached_login for pam_winbind
- ???
+ Set cached_login for pam_winbind.
+ Log onto a domain member using a domain account.
+ Winbind will create a standard Kerberos credential cache containing a TGT (Ticket Granting Ticket - eg something like krbtgt/REALM at REALM).
+ The klist command will verify the existence of the cache and the TGT in it.
+ At some point before the renewal lifetime is up, the credential cache will disappear preventing Kerberos apps from working. It is often at about 25-50% of the renewal lifetime, but not always.
+ The klist command will now report that it can't find the ccache.
+ With the bugfix, the ccache never disappears and Winbind will successfully renew the TGT.
+ 
  
  [Original Description]
  
- 
- winbindd will renew kerberos tickets until they expire, but it seems unable to refresh them before expiry.
+ winbindd will renew kerberos tickets until they expire, but it seems
+ unable to refresh them before expiry.
  
  I have the following in smb.conf:
  
  winbind refresh ticket = true
  
  and have cached_login set for pam_winbind
  
  After 7 days ( the renewal limit on AD kerberos tickets) the ticket
  expires and I lose access to my NFS home directory which uses sec=krb5
  
  I have tried to debug why this is happening and have come to the
  conclusion that there are two important variables for ticket refreshing
  to work (both in winbind/winbindd_cred_cache.c):
  
  ccache_list
  memory_creds_list
  
  and that the function that stores the password for later refreshing use
  is called
  
  winbindd_add_memory_creds
  
  This function though requires that the user is in ccache_list before it
  stores the password in a way it can be used by the rekinit part of the
  function krb5_ticket_refresh_handler.
  
  The problem as I see it is that winbind forks and the parent populates ccache_list and the child populates memory_creds_list.
  This leads to the password not being stored in a way that can be used by the rekinit code in krb5_ticket_refresh_handler.
  
  As a dirty hack (attached) I tried populating memory_creds_list from the
  same location as ccache_list get populated (winbindd_raw_kerberos_login
  in winbind/winbindd_pam.c).
  
  This hack "fixes" the problem.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: winbind 2:3.6.3-2ubuntu2.3
  ProcVersionSignature: Ubuntu 3.2.0-27.43-generic 3.2.21
  Uname: Linux 3.2.0-27-generic x86_64
  ApportVersion: 2.0.1-0ubuntu12
  Architecture: amd64
  Date: Wed Aug 15 11:30:27 2012
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
  ProcEnviron:
   LANGUAGE=en_GB:en
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SambaClientRegression: No
  SourcePackage: samba
  UpgradeStatus: No upgrade log present (probably fresh install)
  mtime.conffile..etc.default.winbind: 2012-07-06T14:00:57
  mtime.conffile..etc.init.d.winbind: 2012-07-06T14:00:57

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1037055

Title:
  winbind does not refresh kerberos tickets

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1037055/+subscriptions

More information about the Ubuntu-server-bugs mailing list