Bug 6872 - krb5 refresh chain is broken when login in cached mode.
krb5 refresh chain is broken when login in cached mode.
Status: NEW
Product: Samba 3.3
Classification: Unclassified
Component: Winbind
unspecified
Other Linux
: P3 normal
: ---
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-05 02:58 UTC by Bo Yang
Modified: 2009-11-05 08:43 UTC (History)
0 users

See Also:


Attachments
patch for v3-2-test (1.06 KB, patch)
2009-11-05 03:00 UTC, Bo Yang
no flags Details
patch for v3-3-test (1.06 KB, patch)
2009-11-05 03:01 UTC, Bo Yang
no flags Details
patch for v3-4-test (1.13 KB, patch)
2009-11-05 03:01 UTC, Bo Yang
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Bo Yang 2009-11-05 02:58:19 UTC
When winbindd starts without network, user login in cached mode. The trust_type flag is not set because there is no network. So the krb5 refresh timer is not added. 

Then even domain member is in AD environment, user cannot get kerberos ticket when winbindd goes online again. We can use the method in 3.0.x to have a rough guess whether it is AD. :-)

patch for 3-{2,3,4}-test in the attachment.

Thanks!
Comment 1 Bo Yang 2009-11-05 03:00:34 UTC
Created attachment 4916 [details]
patch for v3-2-test
Comment 2 Bo Yang 2009-11-05 03:01:04 UTC
Created attachment 4917 [details]
patch for v3-3-test
Comment 3 Bo Yang 2009-11-05 03:01:31 UTC
Created attachment 4918 [details]
patch for v3-4-test
Comment 4 Guenther Deschner 2009-11-05 07:40:54 UTC
(In reply to comment #0)
> When winbindd starts without network, user login in cached mode. The trust_type
> flag is not set because there is no network. So the krb5 refresh timer is not
> added.

I am not sure I understand that patch. The whole purpose of using the tdc cache here was that even while offline (w/o network) the cache could tell us whether a trusted domain is AD or not, so the trust_type flag should already be set (on disc) appropriately.

> 
> Then even domain member is in AD environment, user cannot get kerberos ticket
> when winbindd goes online again. We can use the method in 3.0.x to have a rough
> guess whether it is AD. :-)

This I don't understand at all :-) Why do you think the automatic kinit can't work when coming from offline to online ?
Comment 5 Bo Yang 2009-11-05 08:43:15 UTC
Please have a look at the call stack:

init_domain_list() ---> add_trusted_domain() --> wcache_tdc_add_domain().

If winbindd starts without network, the trust_type flags will not be set. Then user login cached mode. In winbindd_dual_pam_auth_cached()[winbindd_pam.c:989],
You can see what is wrong here.

The event will not be added.