The Samba-Bugzilla – Bug 9108
previous winbindd kerberos ticket cache file is destroyed if wrong password is used
Last modified: 2013-08-12 12:27:00 UTC
When using winbindd in kerberos mode your previous ticket cache file gets destroyed if you attempt to login in again but get the wrong password.
Winbind is configured to use kerberos.
You successfully log into a computer and now have a ticket cache in /tmp/krb5cc_xxxx
You now attempt to log into the same computer again but this time accidentally get the password wrong! You, now, no longer have a /tmp/krb5cc_xxxx cache file.
winbindd has destroyed the cache file.
This can cause the user issues when any onwards authentication is required (such as ssh or even kerberised nfs).
winbindd_raw_kerberos_login in winbindd_pam.c treats all kerberos failures identically and destroys the ticket cache and removes the user from the ccache_list linked list (or decrements the ref_count)
Thanks for any help you can be on fixing this.
So I think the correct NTSTATUS to look at is if we get NT_STATUS_LOGON_FAILURE back from kerberos_return_pac() inside winbindd_raw_kerberos_login().
I see the problem as being in two parts:
1) the remove_ccache done after the failed kerberos_return_pac call is not required. This failed login has not added the user the the ccache_list linked list. That happens only if kerberos_return_pac is successful. I think lines 683-687 can be safely removed.
2) the ads_kdestroy that occurs after the failed kerberos_return_pac call may not be required. I think a failed kerberos_return_pac does a ads_kdestroy upon itself.
I may of course be completely wrong in my reading of the code :)
So I think all the code (apart from the return result;) after the failed label in winbindd_raw_kerberos_login is not required ?
Most probably related to https://bugzilla.redhat.com/show_bug.cgi?id=981033 which is pushed out to Fedora as 4.0.7-2.
*** This bug has been marked as a duplicate of bug 9994 ***