[PATCH] s3-winbindd: Store schannel credentials in secrets.tdb
Christof Schmitt
christof.schmitt at us.ibm.com
Tue Oct 2 13:35:19 MDT 2012
Andrew Bartlett wrote on 09/26/2012 12:12:41 AM:
> On Tue, 2012-09-25 at 23:30 -0700, Christian Ambach wrote:
> > On 09/25/2012 10:25 PM, Stefan (metze) Metzmacher wrote:
>
> > > we also need to mutex the netlogon_creds_CredentialState->sequence
etc.
> > > And on the client we typically need to mutex arround network/ipc
operations,
> > > which should not be mutexed by a tdb lock.
> >
> > In which cases (e.g. against which DC versions) is that mechanism
used?
> > When certain RPC calls or validationlevels are not available? I am not
> > very deep into the schannel / authentication pieces, so I (and maybe
> > others) could use some coaching here.
>
> While the most common operation (SamLogonEx) does not use the sequence
> stuff, and most recent DCs support that, there are other netlogon calls
> that use the sequence number stuff.
>
> I'm sorry I don't have details to hand, but I agree with metze that we
> need to do this properly.
This is a new version of the patches, based on a short discussion with
Christian and Volker. The idea was to fix the problem in a way that
can also be backported to 3.6 builds.
Changes from the previous version:
- Use g_lock instead of holding the record locked
- Use a different tdb for the client side. The server side uses
transactions while they are not required for the client side
updates from winbind. Using a different tdb avoid potential
problems here.
The patches do not address the sequence number updates, i would need
some advice how to approach this part.
The patches pass the samba4.rpc.schannel test cases. I could not do
more testing since there are problems with 'make test' on my system
even without any added patches.
Regards,
Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com || +1-520-799-2469 (T/L: 321-2469)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-auth-Use-dbwrap-for-accessing-tdb-in-schannel_state_.patch
Type: application/octet-stream
Size: 8875 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121002/023945d2/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-auth-make-schannel_store-_fetch-usable-by-winbind.patch
Type: application/octet-stream
Size: 3461 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121002/023945d2/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-winbind-Store-schannel-credentials-in-tdb.patch
Type: application/octet-stream
Size: 5599 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121002/023945d2/attachment-0002.obj>
More information about the samba-technical
mailing list