ads_cached_connection() in winbindd_ads.c: tickets expired?
Jeremy Allison
jra at samba.org
Mon Mar 22 05:44:33 GMT 2004
On Sun, Mar 21, 2004 at 08:37:01PM -0700, Jim McDonough wrote:
>
> Ok, before I dig too far in this (which either takes 10 hours at a shot to
> reproduce it or I figure a way to make win2k give us short-lived tickets),
> I'd like a sanity check. It appears to me that the tremendous performance
> gain of caching the connection via ads_cached_connection() in
> winbindd_ads.c comes with a price: after the tickets expire, the cached
> connection is worthless. It seems we need to periodically refresh this
> connection, no? Maybe we need a timestamp and perhaps we can get ticket
> life info out of kerberos when we acquire the tickets?
>
> Or am I totally missing something here? I've got a customer who is needing
> to restart winbindd every 10 hours, as the tickets expire...seems like we
> would have had complaints about this already, which is why I'm wondering if
> it's a setup issue.
Ok, what version of krb5 ? I see in the source code I have
handy here on my laptop (I'm in Utah all week - don't ask ! :-)
in krb5/krb/get_in_tkt.c for version 1.2.6 (somewhat old I think)
if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE))
request.till += options->tkt_life;
else
request.till += 10*60*60; /* this used to be hardcoded in kinit.c */
but the only way to set the KRB5_GET_INIT_CREDS_OPT_TKT_LIFE option
seems to be using a kinit -l option, not a krb5.conf parameter.
God - kerberos krb5.conf has significantly *worse* documentation
than smb.conf - it doesn't seem to have changed since I worked
on it in 1997 :-(.
Jeremy.
More information about the samba-technical
mailing list