When I get my password wrong, winbindd *deletes* my existing, valid, credentials cache. This is particularly horrid of it when I'm running as a user who doesn't exist in the domain, so even when I subsequently get my password *right*, it's matched by pam_unix not pam_winbind, and I don't even get my TGT recreated.
Trying this patch now, which will probably make me happy but I'm not fully aware of the other implications of it: --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -691,6 +691,8 @@ failed: * local host and therefor didn't get the PAC, we need to remove that * cache entirely now */ + if (user_ccache_file) + return result; krb5_ret = ads_kdestroy(cc); if (krb5_ret) { DEBUG(3,("winbindd_raw_kerberos_login: "
I will look into it. Thanks for the bug report!
Koji scratch build with the above patch (to prevent my users from lynching me when winbind keeps stealing their TGTs) at http://koji.fedoraproject.org/koji/taskinfo?taskID=5593624
Yes, the patch looks fine. I will propose it upstream. Thanks!
How do you reproduce it?
sudo whoami <get password wrong> Do not subsequently get your password *right*, if you are actually authenticated by pam_winbind. That'll give you a new TGT and mask the problem. If, like me, your local username doesn't match your Windows username and you actually "log in" to winbind with 'wbinfo -K $WINUSER', the problem is much easier to notice.
That reproducer was mentioned in the uptream bug btw.
Most probably related to https://bugzilla.samba.org/show_bug.cgi?id=9108 (we were seeing the same thing and searched in samba BZ first)
This has been fixed in Samba 4.0.8.