[PATCH] s3-winbindd: Store schannel credentials in secrets.tdb

Christof Schmitt christof.schmitt at us.ibm.com
Tue Oct 2 13:35:19 MDT 2012

Andrew Bartlett wrote on 09/26/2012 12:12:41 AM:
> On Tue, 2012-09-25 at 23:30 -0700, Christian Ambach wrote:
> > On 09/25/2012 10:25 PM, Stefan (metze) Metzmacher wrote:
> > > we also need to mutex the netlogon_creds_CredentialState->sequence 
> > > And on the client we typically need to mutex arround network/ipc 
> > > which should not be mutexed by a tdb lock.
> > 
> > In which cases (e.g. against which DC versions) is that mechanism 
> > When certain RPC calls or validationlevels are not available? I am not 

> > very deep into the schannel / authentication pieces, so I (and maybe 
> > others) could use some coaching here.
> While the most common operation (SamLogonEx) does not use the sequence
> stuff, and most recent DCs support that, there are other netlogon calls
> that use the sequence number stuff. 
> I'm sorry I don't have details to hand, but I agree with metze that we
> need to do this properly. 

This is a new version of the patches, based on a short discussion with
Christian and Volker. The idea was to fix the problem in a way that
can also be backported to 3.6 builds.

Changes from the previous version:
 - Use g_lock instead of holding the record locked
 - Use a different tdb for the client side. The server side uses
   transactions while they are not required for the client side
   updates from winbind. Using a different tdb avoid potential
   problems here.

The patches do not address the sequence number updates, i would need
some advice how to approach this part.

The patches pass the samba4.rpc.schannel test cases. I could not do
more testing since there are problems with 'make test' on my system
even without any added patches.


Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-auth-Use-dbwrap-for-accessing-tdb-in-schannel_state_.patch
Type: application/octet-stream
Size: 8875 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121002/023945d2/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-auth-make-schannel_store-_fetch-usable-by-winbind.patch
Type: application/octet-stream
Size: 3461 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121002/023945d2/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-winbind-Store-schannel-credentials-in-tdb.patch
Type: application/octet-stream
Size: 5599 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121002/023945d2/attachment-0002.obj>

More information about the samba-technical mailing list