** Description changed: [Impact] * If it happens on the client, the client can't authenticate to any kerberised servers (Windows or Linux). * If it happens on the server, all clients (Windows or Linux) are unable to connect to that server any more. * The main impact is very flaky network authentication on an LTS release that we will have to live with for a few more years. [Workaround] On the desktop run kinit to create a new ticket cache, or on a server restart the winbind daemon after logging in with a local account. This usually needs to be done once or twice a week on my desktop, but less frequently on servers. [Test Case] - Requires an AD domain with winbind configured to use it. + Requires an AD (or Samba 4?) domain with winbind configured to use it. Use winbind refresh ticket = true - Set cached_login for pam_winbind - ??? + Set cached_login for pam_winbind. + Log onto a domain member using a domain account. + Winbind will create a standard Kerberos credential cache containing a TGT (Ticket Granting Ticket - eg something like krbtgt/REALM@REALM). + The klist command will verify the existence of the cache and the TGT in it. + At some point before the renewal lifetime is up, the credential cache will disappear preventing Kerberos apps from working. It is often at about 25-50% of the renewal lifetime, but not always. + The klist command will now report that it can't find the ccache. + With the bugfix, the ccache never disappears and Winbind will successfully renew the TGT. + [Original Description] - - winbindd will renew kerberos tickets until they expire, but it seems unable to refresh them before expiry. + winbindd will renew kerberos tickets until they expire, but it seems + unable to refresh them before expiry. I have the following in smb.conf: winbind refresh ticket = true and have cached_login set for pam_winbind After 7 days ( the renewal limit on AD kerberos tickets) the ticket expires and I lose access to my NFS home directory which uses sec=krb5 I have tried to debug why this is happening and have come to the conclusion that there are two important variables for ticket refreshing to work (both in winbind/winbindd_cred_cache.c): ccache_list memory_creds_list and that the function that stores the password for later refreshing use is called winbindd_add_memory_creds This function though requires that the user is in ccache_list before it stores the password in a way it can be used by the rekinit part of the function krb5_ticket_refresh_handler. The problem as I see it is that winbind forks and the parent populates ccache_list and the child populates memory_creds_list. This leads to the password not being stored in a way that can be used by the rekinit code in krb5_ticket_refresh_handler. As a dirty hack (attached) I tried populating memory_creds_list from the same location as ccache_list get populated (winbindd_raw_kerberos_login in winbind/winbindd_pam.c). This hack "fixes" the problem. ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: winbind 2:3.6.3-2ubuntu2.3 ProcVersionSignature: Ubuntu 3.2.0-27.43-generic 3.2.21 Uname: Linux 3.2.0-27-generic x86_64 ApportVersion: 2.0.1-0ubuntu12 Architecture: amd64 Date: Wed Aug 15 11:30:27 2012 InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425) ProcEnviron: LANGUAGE=en_GB:en TERM=xterm PATH=(custom, no user) LANG=en_GB.UTF-8 SHELL=/bin/bash SambaClientRegression: No SourcePackage: samba UpgradeStatus: No upgrade log present (probably fresh install) mtime.conffile..etc.default.winbind: 2012-07-06T14:00:57 mtime.conffile..etc.init.d.winbind: 2012-07-06T14:00:57
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037055 Title: winbind does not refresh kerberos tickets To manage notifications about this bug go to: https://bugs.launchpad.net/samba/+bug/1037055/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
