[PATCH] s3-winbindd: Store schannel credentials in secrets.tdb

[Christof Schmitt]

Andrew Bartlett <abartlet at samba.org> wrote on 09/18/2012 10:21:30 PM:

> On Tue, 2012-09-18 at 18:43 -0700, Christian Ambach wrote:
> > On 08/01/2012 10:19 AM, Christof Schmitt wrote:
> > > Ok, i will work on an updated patch to reuse the code in
> > > schannel_state_tdb.c.
> > 
> > The bad thing about that proposal is that this will require to move 
> > dbwrap_open (and the whole CTDB connection code connected to that) to 
> > common code as this needs to work cluster-wide, so the credentials 
need 
> > to be stored in a CTDB-managed tdb. As recently discussed, it is not a 

> > good idea to put a dependency from / code into source?, it should only 

> > be the other way around.
> > 
> > Using the existing secrets.tdb has the beauty of the code avoiding 
that 
> > move, but otherwise it is also the wrong location as this information 
> > should not live in a persistent database, but in a volatile one.
> > 
> > I'll have to see how to move dbwrap_open to lib/dbwrap without too 
many 
> > intrusive changes.
> 
> There are a few ways some of this can be managed.  The bulk of the code
> can be handed a already-open handle (for example) so we don't need to
> deal with the ctdb open.

Passing a dbwrap handle to the code is an easy change. What
complicated things was that my approach was to fetch a locked record
and keep it locked during the DC authentication. The code in
schannel_state_tdb.c does not keep the lock, so this needs to be
changed, or an additional lock would be required to guarantee
exclusive access to the DC during the authentication.

A related question: cm_prepare_connection in
source3/winbindd/winbindd_cm.c already uses a mutex. Can someone
describe what this mutex protects?

Regards,

Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)