[Bug 1037055] Re: winbind does not refresh kerberos tickets

styro 1037055 at bugs.launchpad.net
Wed Mar 20 23:21:24 UTC 2013 

** Description changed:

  [Impact]
  * If it happens on the client, the client can't authenticate to any kerberised servers (Windows or Linux).
  * If it happens on the server, all clients (Windows or Linux) are unable to connect to that server any more.
  * The main impact is very flaky network authentication on an LTS release that we will have to live with for a few more years.
  
  [Workaround]
  On the desktop run kinit to create a new ticket cache, or on a server restart the winbind daemon after logging in with a local account. This usually needs to be done once or twice a week on my desktop, but less frequently on servers.
  
  [Test Case]
- Requires an AD domain with winbind configured to use it.
+ Requires an AD (or Samba 4?) domain with winbind configured to use it.
  Use winbind refresh ticket = true
- Set cached_login for pam_winbind
- ???
+ Set cached_login for pam_winbind.
+ Log onto a domain member using a domain account.
+ Winbind will create a standard Kerberos credential cache containing a TGT (Ticket Granting Ticket - eg something like krbtgt/REALM at REALM).
+ The klist command will verify the existence of the cache and the TGT in it.
+ At some point before the renewal lifetime is up, the credential cache will disappear preventing Kerberos apps from working. It is often at about 25-50% of the renewal lifetime, but not always.
+ The klist command will now report that it can't find the ccache.
+ With the bugfix, the ccache never disappears and Winbind will successfully renew the TGT.
+ 
  
  [Original Description]
  
- 
- winbindd will renew kerberos tickets until they expire, but it seems unable to refresh them before expiry.
+ winbindd will renew kerberos tickets until they expire, but it seems
+ unable to refresh them before expiry.
  
  I have the following in smb.conf:
  
  winbind refresh ticket = true
  
  and have cached_login set for pam_winbind
  
  After 7 days ( the renewal limit on AD kerberos tickets) the ticket
  expires and I lose access to my NFS home directory which uses sec=krb5
  
  I have tried to debug why this is happening and have come to the
  conclusion that there are two important variables for ticket refreshing
  to work (both in winbind/winbindd_cred_cache.c):
  
  ccache_list
  memory_creds_list
  
  and that the function that stores the password for later refreshing use
  is called
  
  winbindd_add_memory_creds
  
  This function though requires that the user is in ccache_list before it
  stores the password in a way it can be used by the rekinit part of the
  function krb5_ticket_refresh_handler.
  
  The problem as I see it is that winbind forks and the parent populates ccache_list and the child populates memory_creds_list.
  This leads to the password not being stored in a way that can be used by the rekinit code in krb5_ticket_refresh_handler.
  
  As a dirty hack (attached) I tried populating memory_creds_list from the
  same location as ccache_list get populated (winbindd_raw_kerberos_login
  in winbind/winbindd_pam.c).
  
  This hack "fixes" the problem.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: winbind 2:3.6.3-2ubuntu2.3
  ProcVersionSignature: Ubuntu 3.2.0-27.43-generic 3.2.21
  Uname: Linux 3.2.0-27-generic x86_64
  ApportVersion: 2.0.1-0ubuntu12
  Architecture: amd64
  Date: Wed Aug 15 11:30:27 2012
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
  ProcEnviron:
   LANGUAGE=en_GB:en
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SambaClientRegression: No
  SourcePackage: samba
  UpgradeStatus: No upgrade log present (probably fresh install)
  mtime.conffile..etc.default.winbind: 2012-07-06T14:00:57
  mtime.conffile..etc.init.d.winbind: 2012-07-06T14:00:57

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1037055

Title:
  winbind does not refresh kerberos tickets

Status in Samba:
  Fix Released
Status in “samba” package in Ubuntu:
  Confirmed

Bug description:
  [Impact]
  * If it happens on the client, the client can't authenticate to any kerberised servers (Windows or Linux).
  * If it happens on the server, all clients (Windows or Linux) are unable to connect to that server any more.
  * The main impact is very flaky network authentication on an LTS release that we will have to live with for a few more years.

  [Workaround]
  On the desktop run kinit to create a new ticket cache, or on a server restart the winbind daemon after logging in with a local account. This usually needs to be done once or twice a week on my desktop, but less frequently on servers.

  [Test Case]
  Requires an AD (or Samba 4?) domain with winbind configured to use it.
  Use winbind refresh ticket = true
  Set cached_login for pam_winbind.
  Log onto a domain member using a domain account.
  Winbind will create a standard Kerberos credential cache containing a TGT (Ticket Granting Ticket - eg something like krbtgt/REALM at REALM).
  The klist command will verify the existence of the cache and the TGT in it.
  At some point before the renewal lifetime is up, the credential cache will disappear preventing Kerberos apps from working. It is often at about 25-50% of the renewal lifetime, but not always.
  The klist command will now report that it can't find the ccache.
  With the bugfix, the ccache never disappears and Winbind will successfully renew the TGT.

  
  [Original Description]

  winbindd will renew kerberos tickets until they expire, but it seems
  unable to refresh them before expiry.

  I have the following in smb.conf:

  winbind refresh ticket = true

  and have cached_login set for pam_winbind

  After 7 days ( the renewal limit on AD kerberos tickets) the ticket
  expires and I lose access to my NFS home directory which uses sec=krb5

  I have tried to debug why this is happening and have come to the
  conclusion that there are two important variables for ticket
  refreshing to work (both in winbind/winbindd_cred_cache.c):

  ccache_list
  memory_creds_list

  and that the function that stores the password for later refreshing
  use is called

  winbindd_add_memory_creds

  This function though requires that the user is in ccache_list before
  it stores the password in a way it can be used by the rekinit part of
  the function krb5_ticket_refresh_handler.

  The problem as I see it is that winbind forks and the parent populates ccache_list and the child populates memory_creds_list.
  This leads to the password not being stored in a way that can be used by the rekinit code in krb5_ticket_refresh_handler.

  As a dirty hack (attached) I tried populating memory_creds_list from
  the same location as ccache_list get populated
  (winbindd_raw_kerberos_login in winbind/winbindd_pam.c).

  This hack "fixes" the problem.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: winbind 2:3.6.3-2ubuntu2.3
  ProcVersionSignature: Ubuntu 3.2.0-27.43-generic 3.2.21
  Uname: Linux 3.2.0-27-generic x86_64
  ApportVersion: 2.0.1-0ubuntu12
  Architecture: amd64
  Date: Wed Aug 15 11:30:27 2012
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
  ProcEnviron:
   LANGUAGE=en_GB:en
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SambaClientRegression: No
  SourcePackage: samba
  UpgradeStatus: No upgrade log present (probably fresh install)
  mtime.conffile..etc.default.winbind: 2012-07-06T14:00:57
  mtime.conffile..etc.init.d.winbind: 2012-07-06T14:00:57

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1037055/+subscriptions

More information about the Ubuntu-sponsors mailing list