If I run 'sudo' and enter my password correctly, pam_winbind gets me a shiny new Kerberos TGT with a completely fresh 10-day renewable lifetime. Yay!. If I run 'sudo' and get my password *wrong*, pam_winbind deletes my existing, valid, credentials cache. Bad winbind. No biscuit. [dwoodhou@i7 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_504 Default principal: dwoodhou@GER.CORP.INTEL.COM Valid starting Expires Service principal 03/07/13 20:27:59 04/07/13 06:27:59 krbtgt/GER.CORP.INTEL.COM@GER.CORP.INTEL.COM renew until 02/08/13 20:27:59 03/07/13 20:27:59 04/07/13 06:27:59 DWOODHOU-LINUX$@GER.CORP.INTEL.COM renew until 02/08/13 20:27:59 [dwoodhou@i7 ~]$ sudo whoami [sudo] password for dwoodhou: Sorry, try again. [sudo] password for dwoodhou: Sorry, try again. [sudo] password for dwoodhou: Sorry, try again. sudo: 3 incorrect password attempts [dwoodhou@i7 ~]$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_504) This is particularly problematic for me since the user I usually run as is not the 'dwoodhou' user that matches my domain username. I don't think winbind can do any kind of automatic mapping, so I log in with pam_unix and then use 'wbinfo -K dwoodhou' to prime the ntlm_auth helper and obtain my TGT (although for some reason I think it doesn't get *renewed* automatically when I do it that way? The result is that when I fudge my password during 'sudo' or presumably any other PAM run, pam_winbind gets to wipe my creds cache and even when I get my password *right* on a second attempt, it doesn't get recreated.
Breakpoint 1, unlink () at ../sysdeps/unix/syscall-template.S:81 81 T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS) Missing separate debuginfos, use: debuginfo-install sssd-client-1.10.0-12.fc19.beta2.x86_64 (gdb) up #1 0x0000003d5fc35129 in krb5_fcc_destroy (context=0x1d55fe0, id=0x1d5f110) at cc_file.c:1606 1606 ret = unlink(data->filename); (gdb) p data->filename $1 = 0x1d51f80 "/tmp/krb5cc_1000" (gdb) bt #0 unlink () at ../sysdeps/unix/syscall-template.S:81 #1 0x0000003d5fc35129 in krb5_fcc_destroy (context=0x1d55fe0, id=0x1d5f110) at cc_file.c:1606 #2 0x0000003d9040855a in ads_kdestroy ( cc_name=cc_name@entry=0x1d55a30 "FILE:/tmp/krb5cc_1000") at ../source3/libads/kerberos.c:320 #3 0x000000000043a4a9 in winbindd_raw_kerberos_login ( krb5ccname=0x7fff06f58418 "", info3=0x7fff06f570d0, uid=1000, krb5_cc_type=0x7fff06f580d8 "FILE", pass=0x7fff06f57bd8 "asd", user=0x7fff06f57ad8 "GER\\dwmw2", domain=0x1d46d50, mem_ctx=0x1d4cd70) at ../source3/winbindd/winbindd_pam.c:686 #4 winbindd_dual_pam_auth_kerberos (domain=0x1d46d50, info3=0x7fff06f570d0, state=0x7fff06f57950) at ../source3/winbindd/winbindd_pam.c:1113 #5 winbindd_dual_pam_auth (domain=0x1d46d50, state=0x7fff06f57950) at ../source3/winbindd/winbindd_pam.c:1627 #6 0x0000000000450257 in child_process_request (child=0x1d44940, child=0x1d44940, state=0x7fff06f57950) at ../source3/winbindd/winbindd_dual.c:441 #7 fork_domain_child (child=0x1d44940) at ../source3/winbindd/winbindd_dual.c:1554 #8 0x0000000000450cc5 in wb_child_request_trigger (req=0x1d45f30, private_data=<optimized out>) at ../source3/winbindd/winbindd_dual.c:146 #9 0x0000003d83e043f4 in tevent_common_loop_immediate () ---Type <return> to continue, or q <return> to quit--- from /lib64/libtevent.so.0 #10 0x0000003d8a24360c in run_events_poll (ev=0x1d3edb0, pollrtn=0, pfds=0x0, num_pfds=0) at ../source3/lib/events.c:192 #11 0x0000003d8a2438f4 in s3_event_loop_once (ev=0x1d3edb0, location=<optimized out>) at ../source3/lib/events.c:303 #12 0x0000003d83e03bcd in _tevent_loop_once () from /lib64/libtevent.so.0 #13 0x000000000042008a in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at ../source3/winbindd/winbindd.c:1525
Also filed as https://bugzilla.redhat.com/show_bug.cgi?id=981033 where I have added a trivial straw-man patch.
Created attachment 9047 [details] v4-0-test and v4-1-test patch
Comment on attachment 9047 [details] v4-0-test and v4-1-test patch looks good.
Karolin, could you please add it to 4.0 and 4.1? Thanks!
Pushed to autobuild-v4-1-test and autobuild-v4-0-test.
Pushed to v4-0-test and v4-1-test. Closing out bug report. Thanks!
Karolin, could you please add the patch to 3.6 too? It cleanly applies. Thanks!
*** Bug 9108 has been marked as a duplicate of this bug. ***
Pushed to v3-6-test, will be included in Samba 3.6.19. Closing out bug report. Thanks!