When winbindd starts without network, user login in cached mode. The trust_type flag is not set because there is no network. So the krb5 refresh timer is not added. Then even domain member is in AD environment, user cannot get kerberos ticket when winbindd goes online again. We can use the method in 3.0.x to have a rough guess whether it is AD. :-) patch for 3-{2,3,4}-test in the attachment. Thanks!
Created attachment 4916 [details] patch for v3-2-test
Created attachment 4917 [details] patch for v3-3-test
Created attachment 4918 [details] patch for v3-4-test
(In reply to comment #0) > When winbindd starts without network, user login in cached mode. The trust_type > flag is not set because there is no network. So the krb5 refresh timer is not > added. I am not sure I understand that patch. The whole purpose of using the tdc cache here was that even while offline (w/o network) the cache could tell us whether a trusted domain is AD or not, so the trust_type flag should already be set (on disc) appropriately. > > Then even domain member is in AD environment, user cannot get kerberos ticket > when winbindd goes online again. We can use the method in 3.0.x to have a rough > guess whether it is AD. :-) This I don't understand at all :-) Why do you think the automatic kinit can't work when coming from offline to online ?
Please have a look at the call stack: init_domain_list() ---> add_trusted_domain() --> wcache_tdc_add_domain(). If winbindd starts without network, the trust_type flags will not be set. Then user login cached mode. In winbindd_dual_pam_auth_cached()[winbindd_pam.c:989], You can see what is wrong here. The event will not be added.
the code changed a lot and nobody understand the patch