winbindd will renew kerberos tickets until they expire, but it seems unable to refresh them before expiry.
I am using in smb.conf
winbind refresh ticket = true
and have cached_login set for pam_winbind
After 7 days ( the renewal limit on AD kerberos tickets) the ticket expires and I lose access to my NFS home directory which uses sec=krb5
I have tried to debug why this is happening and have come to the conclusion that there are to important variables for ticket refreshing to work (both in winbind/winbindd_cred_cache.c):
ccache_list
memory_creds_list
and that the function that stores the password for later refreshing use is called
winbindd_add_memory_creds
This function though requires that the user is ccache_list before it stores the password in a way it can be used by the rekinit part of the function krb5_ticket_refresh_handler.
The problem as I see it is that winbind forks and the parent populates ccache_list and the child populates memory_creds_list.
This leads to the password not being stored in a way that can be used by the rekinit code in krb5_ticket_refresh_handler.
As a dirty hack (attached) I tried populating memory_creds_list from the same location as ccache_list get populated (winbindd_raw_kerberos_login in winbind/winbindd_pam.c).
winbindd will renew kerberos tickets until they expire, but it seems unable to refresh them before expiry.
I am using in smb.conf
winbind refresh ticket = true
and have cached_login set for pam_winbind
After 7 days ( the renewal limit on AD kerberos tickets) the ticket expires and I lose access to my NFS home directory which uses sec=krb5
I have tried to debug why this is happening and have come to the conclusion that there are to important variables for ticket refreshing to work (both in winbind/ winbindd_ cred_cache. c):
ccache_list
memory_creds_list
and that the function that stores the password for later refreshing use is called
winbindd_ add_memory_ creds
This function though requires that the user is ccache_list before it stores the password in a way it can be used by the rekinit part of the function krb5_ticket_ refresh_ handler.
The problem as I see it is that winbind forks and the parent populates ccache_list and the child populates memory_creds_list. refresh_ handler.
This leads to the password not being stored in a way that can be used by the rekinit code in krb5_ticket_
As a dirty hack (attached) I tried populating memory_creds_list from the same location as ccache_list get populated (winbindd_ raw_kerberos_ login in winbind/ winbindd_ pam.c).
This hack "fixes" the problem.
ProblemType: Bug ature: Ubuntu 3.2.0-27.43-generic 3.2.21 ession: No .etc.default. winbind: 2012-07-06T14:00:57 .etc.init. d.winbind: 2012-07-06T14:00:57
DistroRelease: Ubuntu 12.04
Package: winbind 2:3.6.3-2ubuntu2.3
ProcVersionSign
Uname: Linux 3.2.0-27-generic x86_64
ApportVersion: 2.0.1-0ubuntu12
Architecture: amd64
Date: Wed Aug 15 11:30:27 2012
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
ProcEnviron:
LANGUAGE=en_GB:en
TERM=xterm
PATH=(custom, no user)
LANG=en_GB.UTF-8
SHELL=/bin/bash
SambaClientRegr
SourcePackage: samba
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile.
mtime.conffile.