[PATCH] s3-winbindd: Store schannel credentials in secrets.tdb
Volker Lendecke
Volker.Lendecke at SerNet.DE
Sat Oct 6 07:38:35 MDT 2012
On Tue, Oct 02, 2012 at 01:35:19PM -0600, Christof Schmitt wrote:
> Andrew Bartlett wrote on 09/26/2012 12:12:41 AM:
> > On Tue, 2012-09-25 at 23:30 -0700, Christian Ambach wrote:
> > > On 09/25/2012 10:25 PM, Stefan (metze) Metzmacher wrote:
> >
> > > > we also need to mutex the netlogon_creds_CredentialState->sequence
> etc.
> > > > And on the client we typically need to mutex arround network/ipc
> operations,
> > > > which should not be mutexed by a tdb lock.
> > >
> > > In which cases (e.g. against which DC versions) is that mechanism
> used?
> > > When certain RPC calls or validationlevels are not available? I am not
>
> > > very deep into the schannel / authentication pieces, so I (and maybe
> > > others) could use some coaching here.
> >
> > While the most common operation (SamLogonEx) does not use the sequence
> > stuff, and most recent DCs support that, there are other netlogon calls
> > that use the sequence number stuff.
> >
> > I'm sorry I don't have details to hand, but I agree with metze that we
> > need to do this properly.
>
> This is a new version of the patches, based on a short discussion with
> Christian and Volker. The idea was to fix the problem in a way that
> can also be backported to 3.6 builds.
>
> Changes from the previous version:
> - Use g_lock instead of holding the record locked
> - Use a different tdb for the client side. The server side uses
> transactions while they are not required for the client side
> updates from winbind. Using a different tdb avoid potential
> problems here.
>
> The patches do not address the sequence number updates, i would need
> some advice how to approach this part.
>
> The patches pass the samba4.rpc.schannel test cases. I could not do
> more testing since there are problems with 'make test' on my system
> even without any added patches.
As already pointed out offline:
cli_rpc_pipe_open_schannel_with_key does not give a proper
error message if the key is wrong, so the retry logic does
not kick in here. Probably we need to delete the schannel
key in invalidate_cm_connection().
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list