[PATCH] s3-winbindd: Store schannel credentials in secrets.tdb
christof.schmitt at us.ibm.com
Wed Sep 19 14:40:31 MDT 2012
Andrew Bartlett <abartlet at samba.org> wrote on 09/18/2012 10:21:30 PM:
> On Tue, 2012-09-18 at 18:43 -0700, Christian Ambach wrote:
> > On 08/01/2012 10:19 AM, Christof Schmitt wrote:
> > > Ok, i will work on an updated patch to reuse the code in
> > > schannel_state_tdb.c.
> > The bad thing about that proposal is that this will require to move
> > dbwrap_open (and the whole CTDB connection code connected to that) to
> > common code as this needs to work cluster-wide, so the credentials
> > to be stored in a CTDB-managed tdb. As recently discussed, it is not a
> > good idea to put a dependency from / code into source?, it should only
> > be the other way around.
> > Using the existing secrets.tdb has the beauty of the code avoiding
> > move, but otherwise it is also the wrong location as this information
> > should not live in a persistent database, but in a volatile one.
> > I'll have to see how to move dbwrap_open to lib/dbwrap without too
> > intrusive changes.
> There are a few ways some of this can be managed. The bulk of the code
> can be handed a already-open handle (for example) so we don't need to
> deal with the ctdb open.
Passing a dbwrap handle to the code is an easy change. What
complicated things was that my approach was to fetch a locked record
and keep it locked during the DC authentication. The code in
schannel_state_tdb.c does not keep the lock, so this needs to be
changed, or an additional lock would be required to guarantee
exclusive access to the DC during the authentication.
A related question: cm_prepare_connection in
source3/winbindd/winbindd_cm.c already uses a mutex. Can someone
describe what this mutex protects?
Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com || +1-520-799-2469 (T/L: 321-2469)
More information about the samba-technical