Bug 981033
Summary: | Local user's krb5cc deleted by pam_winbind | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Woodhouse <dwmw2> |
Component: | samba | Assignee: | Andreas Schneider <asn> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | abokovoy, asn, dwmw2, gdeschner, jlayton, sbose, ssorce, stijn |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-08-12 12:37:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Woodhouse
2013-07-03 20:10:04 UTC
Trying this patch now, which will probably make me happy but I'm not fully aware of the other implications of it: --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -691,6 +691,8 @@ failed: * local host and therefor didn't get the PAC, we need to remove that * cache entirely now */ + if (user_ccache_file) + return result; krb5_ret = ads_kdestroy(cc); if (krb5_ret) { DEBUG(3,("winbindd_raw_kerberos_login: " I will look into it. Thanks for the bug report! Koji scratch build with the above patch (to prevent my users from lynching me when winbind keeps stealing their TGTs) at http://koji.fedoraproject.org/koji/taskinfo?taskID=5593624 Yes, the patch looks fine. I will propose it upstream. Thanks! How do you reproduce it? sudo whoami <get password wrong> Do not subsequently get your password *right*, if you are actually authenticated by pam_winbind. That'll give you a new TGT and mask the problem. If, like me, your local username doesn't match your Windows username and you actually "log in" to winbind with 'wbinfo -K $WINUSER', the problem is much easier to notice. That reproducer was mentioned in the uptream bug btw. Most probably related to https://bugzilla.samba.org/show_bug.cgi?id=9108 (we were seeing the same thing and searched in samba BZ first) This has been fixed in Samba 4.0.8. |