[PATCH] krb5 ticket refresh after suspend and winbindd goes
from offline to online
Andreas Schneider
anschneider at suse.de
Wed Dec 17 10:11:13 GMT 2008
On Wednesday 17 December 2008 06:27:04 boyang wrote:
> Hi, everyone:
Hi Bo,
> 2. The krb5 ticket must be refreshed. But the
> krb5_ticket_refresh_handler might not fired as soon as possible. There
> can be 5 minutes lag between ticket refresh and winbindd goes online.
> Apps(smbspool) relying on krb5 ticket suffers from this, we must ensure
> that ticket is refreshed as soon as winbindd goes online. [in
> winbindd_cm.c] 3. krb5 ticket refresh chain is broken in
> krb5_ticket_refresh_handler(). when KDC is unreachable, we have to keep
> the krb5 ticket refresh handler. [in winbindd_cred_cache.c]
>
I looked at the patches and thought about the problem. Your patches are fine.
I just think there is an additional case.
Lets assume we come back from suspend. We login again and normally the
kerberos tickets get refreshed, but we can't do this so the expired tickets
are still available in the ccache. Then we get a network connection, but we
still can't connect to the ADS and refresh some tickets.
Then the user connects to the ADS network (maybe a network link was broken or
he opened a vpn connection) and can access the servers. If he tries to connect
to server now which needs kerberos authentication, the expired tickets will be
used.
Shouldn't the expired tickets be removed if we can't refresh them?
-- andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
Url : http://lists.samba.org/archive/samba-technical/attachments/20081217/30e5ac94/attachment.bin
More information about the samba-technical
mailing list