[PATCH] fixes account locked when using winbind refresh tickets

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] fixes account locked when using winbind refresh tickets

Samba - samba-technical mailing list
Fixes bug 13212.

Lockouts were caused by winbind cached passwords being used to re-kinit
users after a period of being offline (and tickets expiring), except
that the password had been changed and caused badPwdCount to increase.
This happening on multiple machines at once locked out the user accounts.

 source3/libads/ads_ldap_protos.h       |   2 +
 source3/libads/ldap.c                  |  27 ++++++++
 source3/winbindd/winbindd.h            |   1 +
 source3/winbindd/winbindd_cred_cache.c | 109
+++++++++++++++++++++++++++++++--
 source3/winbindd/winbindd_pam.c        |   7 ++-
 source3/winbindd/winbindd_proto.h      |   3 +-
 6 files changed, 142 insertions(+), 7 deletions(-)

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


0001-winbind-account-locked-when-using-winbind-refresh-ti.patch (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] fixes account locked when using winbind refresh tickets

Samba - samba-technical mailing list
Hi David,

On Thu, Jan 11, 2018 at 04:45:06PM -0700, David Mulder via samba-technical wrote:
> Fixes bug 13212.
>
> Lockouts were caused by winbind cached passwords being used to re-kinit
> users after a period of being offline (and tickets expiring), except
> that the password had been changed and caused badPwdCount to increase.
> This happening on multiple machines at once locked out the user accounts.

oh, good catch! Thanks.

There are some README.Coding issues around "Make use of helper variables". Can
you fix those please?

Does this hunk even compile:

+ if ((at_ptr = strchr(entry->principal_name, '@')) != NULL) {
+ int strlen = at_ptr-entry->principal_name;
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ sam = talloc_zero_size(ctx, strlen+1);
+ strncpy(sam, entry->principal_name, strlen);
+ } else {
+ DEBUG(5,("Could not determine samAccountName from %s\n",
+ entry->principal_name));
+ goto fail;
+ }

Also, why not use talloc_strndup()?

And would it be possible to reuse ads_idmap_cached_connection() instead of
rolling your own?

-slow

--
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/