+++ This bug was initially created as a clone of Bug #12369 +++ Hi I'm using samba as an AD Domain Member. After a fresh install of 4.4.6 everything works like expected. But after 10 hours it seems as if winbind is not able to refresh tickets. Logins after 10 hours with "smbclient ... -d8" usually takes about 20 seconds hanging at NTLMSSP_NEGOTIATE_KEY_EXCH. During the next 5 minutes login is fine, but then again it takes 20 seconds. Restarting winbindd resolves the problem for the next 10 hours. In the correlated log.wb-MyDOMAIN at level 10 I see I see entries like: gss_init_sec_context failed with [ The context has expired: Success] /source3/libads/sasl.c:785(ads_sasl_spnego_bind) kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred. Attached you will find the whole bunch of logs. For testing I compiled samba 4.4.6 using --with-system-mitkrb5 (version 1.14.4) which works fine. Another test with version 4.5.0 and embedded heimdal build however shows the same problem mentioned above. The samba version I used before upgrading was 4.2.14 and it was working OK. Any help would be appreciated. Regards Klaus
A similar problem happens when using MIT krb5 (even with the patches from bug #12369). The problem is the usage of gss_acquire_cred() that just creates a credential handle without ccache. As result gss_init_sec_context() will trigger a code path where it use "ccselect" plugins. And the ccselect_realm module just chooses a random ccache from a global list where the realm of the provides target principal matches the realm of the ccache user principal. In the winbindd case we're using MEMORY:cliconnect to setup the smb connection to the DC. For ldap connections we use MEMORY:winbind_ccache. The typical case is that we do the smb connection first. If we try to create a new ldap connection, while the credentials in MEMORY:cliconnect are expired, we'll do the required kinit into MEMORY:winbind_ccache, but the ccselect_realm module will select MEMORY:cliconnect and tries to get a service ticket for the ldap server using the already expired TGT from MEMORY:cliconnect. Without the patches from bug #12369, it's even more confusing as we'll do the kinit for the ldap connection into MEMORY:ads_sasl_spnego_bind while the main winbindd logic does an expiry check/cleanup on MEMORY:winbind_ccache. But the overall behaviour is similar with or without the patches from #12369. The solution will be to use gss_krb5_import_cred() and explicitly pass the desired ccache, which avoids the ccselect logic. We could also use gss_acquire_cred_from(), but that's only available in modern MIT krb5 versions, while gss_krb5_import_cred() is available in heimdal and all supported MIT versions (>=1.9). As far as I can see both call the same internal function in MIT (at least for the ccache case).
(In reply to Stefan Metzmacher from comment #1) Hmm.... That appears to be the original fix proposed for bug 12007, and was rejected by Simo. See https://lists.samba.org/archive/samba-technical/2016-July/114903.html And also https://lists.samba.org/archive/samba-technical/2016-July/114884.html
I think Simo's comments indicate that there're more problems and that we would have to fully understand what's going on. At that time I thought the major difference was the case where we had a password and tried without a kinit. In fact that and "HEIMDAL:lib/krb5: destroy a memory ccache on reinit" (commit 2abc3710a8a63327a769ba0482c553ed274b2113) fixed the problem for heimdal. But now we know that gss_acquire_cred() is dangerous and we know the exact reason for it. And using gss_krb5_import_cred() is the most portable way to get what we want.
MIT suggests to use gss_acquire_cred_from() but that function is not available in Heimdal. http://k5wiki.kerberos.org/wiki/Projects/Credential_Store_extensions
Created attachment 12785 [details] Possible patches for master
Created attachment 12818 [details] Patches for v4-5-test
Created attachment 12819 [details] Patches for v4-4-test (also applies to v4-3 and v4-2)
Karolin, please add the patches to the relevant branches. Thanks!
(In reply to Andreas Schneider from comment #8) Pushed to autobuild-v4-{5,4}-test.
(In reply to Karolin Seeger from comment #9) Pushed to both branches. Closing out bug report. Thanks!