[PATCH] s3-winbindd: Store schannel credentials in secrets.tdb

Christian Ambach ambi at samba.org
Tue Sep 18 19:43:14 MDT 2012

On 08/01/2012 10:19 AM, Christof Schmitt wrote:
> Andrew Bartlett <abartlet at samba.org> wrote on 07/31/2012 04:37:40 PM:
>>> The patch stores the netlogon credentials per domain controller in
>>> secrets.tdb. If there are already credentials before establishing a
>>> netlogon session, those credentials are reused. If the reused
>>> credentials are no longer valid, they are deleted and the netlogon
>>> session is established with new credentials.
>> This seems to duplicate the code in libcli/auth/schannel_state_tdb.c
>> which is used for the same task on the server side.
>> I know it might mean sorting this out to be dbwrap aware, but I would
>> really like to reduce the duplication in this area.
> Ok, i will work on an updated patch to reuse the code in
> schannel_state_tdb.c.

The bad thing about that proposal is that this will require to move 
dbwrap_open (and the whole CTDB connection code connected to that) to 
common code as this needs to work cluster-wide, so the credentials need 
to be stored in a CTDB-managed tdb. As recently discussed, it is not a 
good idea to put a dependency from / code into source?, it should only 
be the other way around.

Using the existing secrets.tdb has the beauty of the code avoiding that 
move, but otherwise it is also the wrong location as this information 
should not live in a persistent database, but in a volatile one.

I'll have to see how to move dbwrap_open to lib/dbwrap without too many 
intrusive changes.


More information about the samba-technical mailing list