When using winbindd in kerberos mode your previous ticket cache file gets destroyed if you attempt to login in again but get the wrong password. Scenario: Winbind is configured to use kerberos. You successfully log into a computer and now have a ticket cache in /tmp/krb5cc_xxxx You now attempt to log into the same computer again but this time accidentally get the password wrong! You, now, no longer have a /tmp/krb5cc_xxxx cache file. winbindd has destroyed the cache file. This can cause the user issues when any onwards authentication is required (such as ssh or even kerberised nfs). Reason: winbindd_raw_kerberos_login in winbindd_pam.c treats all kerberos failures identically and destroys the ticket cache and removes the user from the ccache_list linked list (or decrements the ref_count) Thanks for any help you can be on fixing this.
So I think the correct NTSTATUS to look at is if we get NT_STATUS_LOGON_FAILURE back from kerberos_return_pac() inside winbindd_raw_kerberos_login().
I see the problem as being in two parts: 1) the remove_ccache done after the failed kerberos_return_pac call is not required. This failed login has not added the user the the ccache_list linked list. That happens only if kerberos_return_pac is successful. I think lines 683-687 can be safely removed. 2) the ads_kdestroy that occurs after the failed kerberos_return_pac call may not be required. I think a failed kerberos_return_pac does a ads_kdestroy upon itself. I may of course be completely wrong in my reading of the code :) So I think all the code (apart from the return result;) after the failed label in winbindd_raw_kerberos_login is not required ? Cheers, Ian.
Most probably related to https://bugzilla.redhat.com/show_bug.cgi?id=981033 which is pushed out to Fedora as 4.0.7-2.
*** This bug has been marked as a duplicate of bug 9994 ***