[PATCH] krb5 ticket refresh after suspend and winbindd goes from
offline to online
boyang
boyang at novell.com
Wed Dec 17 05:27:04 GMT 2008
Hi, everyone:
1. When winbindd goes from offline to online, primary domain's
online status must be updated. Trusted domains will contact the primary
domain for authentication and something else. [ in winbindd_dual.c]
2. The krb5 ticket must be refreshed. But the
krb5_ticket_refresh_handler might not fired as soon as possible. There
can be 5 minutes lag between ticket refresh and winbindd goes online.
Apps(smbspool) relying on krb5 ticket suffers from this, we must ensure
that ticket is refreshed as soon as winbindd goes online. [in winbindd_cm.c]
3. krb5 ticket refresh chain is broken in
krb5_ticket_refresh_handler(). when KDC is unreachable, we have to keep
the krb5 ticket refresh handler. [in winbindd_cred_cache.c]
The user case for 3 is: login ---> suspend ---> krb5 ticket expires --->
wakeup without network connection ---> ticket refresh handler ---> KDC
unreachable ---> ticket refresh chain broken ---> network connection restored,
winbindd online, ticket never get refreshed, smbspool/nautilus suffers from
expired ticket, account locked out. :-(
The user case for 2 is: login ---> suspend ---> krb5 ticket expires --->
wakeup without network connection ---> ticket refresh handler, KDC
unreachable(assume refresh chain is not broken), network restored, winbindd
online. they almost happened at the same time. (ticket will be refreshed 5
minutes later). smbspool suffers from this, account locked out. So, when
winbindd goes online, refresh ticket as soon as possible is reasonable. :-)
patch arrive in the attachment, please review them.
Thanks!
Best
Regards
--BoYang
17th, Dec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-refresh-master.diff
Type: text/x-patch
Size: 3159 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20081217/9709b7df/krb5-refresh-master.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-refresh-v3-0-test.diff
Type: text/x-patch
Size: 3168 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20081217/9709b7df/krb5-refresh-v3-0-test.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-refresh-v3-2-test.diff
Type: text/x-patch
Size: 3141 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20081217/9709b7df/krb5-refresh-v3-2-test.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-refresh-v3-3-test.diff
Type: text/x-patch
Size: 3147 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20081217/9709b7df/krb5-refresh-v3-3-test.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: boyang.vcf
Type: text/x-vcard
Size: 209 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20081217/9709b7df/boyang.vcf
More information about the samba-technical
mailing list