Bug 9108 - previous winbindd kerberos ticket cache file is destroyed if wrong password is used
Summary: previous winbindd kerberos ticket cache file is destroyed if wrong password i...
Status: RESOLVED DUPLICATE of bug 9994
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.6.7
Hardware: x64 Linux
: P5 normal
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
Depends on:
Reported: 2012-08-22 07:42 UTC by ian.gordon
Modified: 2013-08-12 12:27 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description ian.gordon 2012-08-22 07:42:27 UTC
When using winbindd in kerberos mode your previous ticket cache file gets destroyed if you attempt to login in again but get the wrong password.


Winbind is configured to use kerberos.
You successfully log into a computer and now have a ticket cache in /tmp/krb5cc_xxxx
You now attempt to log into the same computer again but this time accidentally get the password wrong! You, now, no longer have a /tmp/krb5cc_xxxx cache file.
winbindd has destroyed the cache file.
This can cause the user issues when any onwards authentication is required (such as ssh or even kerberised nfs).


winbindd_raw_kerberos_login in winbindd_pam.c treats all kerberos failures identically and destroys the ticket cache and removes the user from the ccache_list linked list (or decrements the ref_count)

Thanks for any help you can be on fixing this.
Comment 1 Jeremy Allison 2012-08-23 00:00:32 UTC
So I think the correct NTSTATUS to look at is if we get NT_STATUS_LOGON_FAILURE back from kerberos_return_pac() inside winbindd_raw_kerberos_login().
Comment 2 ian.gordon 2012-08-24 07:33:46 UTC
I see the problem as being in two parts:

1) the remove_ccache done after the failed kerberos_return_pac call is not required. This failed login has not added the user the the ccache_list linked list. That happens only if kerberos_return_pac is successful. I think lines 683-687 can be safely removed.

2) the ads_kdestroy that occurs after the failed kerberos_return_pac call may not be required. I think a failed kerberos_return_pac does a ads_kdestroy upon itself.

I may of course be completely wrong in my reading of the code :)

So I think all the code (apart from the return result;) after the failed label in winbindd_raw_kerberos_login is not required ?


Comment 3 Stijn Hoop 2013-08-12 11:28:49 UTC
Most probably related to https://bugzilla.redhat.com/show_bug.cgi?id=981033 which is pushed out to Fedora as 4.0.7-2.
Comment 4 Andreas Schneider 2013-08-12 12:27:00 UTC

*** This bug has been marked as a duplicate of bug 9994 ***