[PATCH] krb5 ticket refresh after suspend and winbindd goes from offline to online

boyang boyang at suse.de
Wed Dec 17 11:22:59 GMT 2008


Andreas Schneider wrote:
> On Wednesday 17 December 2008 06:27:04 boyang wrote:
>   
>> Hi, everyone:
>>     
>
> Hi Bo,
>
>   
>>       2. The krb5 ticket must be refreshed. But the
>> krb5_ticket_refresh_handler might not fired as soon as possible. There
>> can be 5 minutes lag between ticket refresh and winbindd goes online.
>> Apps(smbspool) relying on krb5 ticket suffers from this, we must ensure
>> that ticket is refreshed as soon as winbindd goes online. [in
>> winbindd_cm.c] 3. krb5 ticket refresh chain is broken in
>> krb5_ticket_refresh_handler(). when KDC is unreachable, we have to keep
>> the krb5 ticket refresh handler. [in winbindd_cred_cache.c]
>>
>>     
>
> I looked at the patches and thought about the problem. Your patches are fine. 
> I just think there is an additional case.
>
> Lets assume we come back from suspend. We login again and normally the 
> kerberos tickets get refreshed, but we can't do this so the expired tickets 
> are still available in the ccache. Then we get a network connection, but we 
> still can't connect to the ADS and refresh some tickets.
>
> Then the user connects to the ADS network (maybe a network link was broken or 
> he opened a vpn connection) and can access the servers. 
Yes.
If user connect to shares or resources in domain before winbindd aware
that it can goes online, apps relying on krb5 ticket suffers.
For vpn, we can use post vpn connection hooks to bring winbindd online.
We can do nothing if the network layer is broken, such as router
down/broken routing table, because there is no way for winbindd to know
when it can goes online except periodic online check handler. There is a
chance of suffering from expired ticket.
> If he tries to connect 
> to server now which needs kerberos authentication, the expired tickets will be 
> used.
>
> Shouldn't the expired tickets be removed if we can't refresh them?
>   
Sounds reasonable, but I have no idea about whether there is side effect
of removing them or not. :-)  Looking forward to someone familiar with
it commenting on this.
>
> 	-- andreas
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: boyang.vcf
Type: text/x-vcard
Size: 187 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20081217/4f398a78/boyang.vcf


More information about the samba-technical mailing list