Bug 9108 - previous winbindd kerberos ticket cache file is destroyed if wrong password is used
previous winbindd kerberos ticket cache file is destroyed if wrong password i...
Status: RESOLVED DUPLICATE of bug 9994
Product: Samba 3.6
Classification: Unclassified
Component: Winbind
3.6.7
x64 Linux
: P5 normal
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-22 07:42 UTC by ian.gordon
Modified: 2013-08-12 12:27 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ian.gordon 2012-08-22 07:42:27 UTC
When using winbindd in kerberos mode your previous ticket cache file gets destroyed if you attempt to login in again but get the wrong password.

Scenario: 

Winbind is configured to use kerberos.
You successfully log into a computer and now have a ticket cache in /tmp/krb5cc_xxxx
You now attempt to log into the same computer again but this time accidentally get the password wrong! You, now, no longer have a /tmp/krb5cc_xxxx cache file.
winbindd has destroyed the cache file.
This can cause the user issues when any onwards authentication is required (such as ssh or even kerberised nfs).

Reason:

winbindd_raw_kerberos_login in winbindd_pam.c treats all kerberos failures identically and destroys the ticket cache and removes the user from the ccache_list linked list (or decrements the ref_count)

Thanks for any help you can be on fixing this.
Comment 1 Jeremy Allison 2012-08-23 00:00:32 UTC
So I think the correct NTSTATUS to look at is if we get NT_STATUS_LOGON_FAILURE back from kerberos_return_pac() inside winbindd_raw_kerberos_login().
Comment 2 ian.gordon 2012-08-24 07:33:46 UTC
I see the problem as being in two parts:

1) the remove_ccache done after the failed kerberos_return_pac call is not required. This failed login has not added the user the the ccache_list linked list. That happens only if kerberos_return_pac is successful. I think lines 683-687 can be safely removed.

2) the ads_kdestroy that occurs after the failed kerberos_return_pac call may not be required. I think a failed kerberos_return_pac does a ads_kdestroy upon itself.

I may of course be completely wrong in my reading of the code :)

So I think all the code (apart from the return result;) after the failed label in winbindd_raw_kerberos_login is not required ?

Cheers,

Ian.
Comment 3 Stijn Hoop 2013-08-12 11:28:49 UTC
Most probably related to https://bugzilla.redhat.com/show_bug.cgi?id=981033 which is pushed out to Fedora as 4.0.7-2.
Comment 4 Andreas Schneider 2013-08-12 12:27:00 UTC

*** This bug has been marked as a duplicate of bug 9994 ***