[PATCH] s3-winbindd: Store schannel credentials in secrets.tdb

Andrew Bartlett abartlet at samba.org
Wed Sep 19 19:12:57 MDT 2012

On Wed, 2012-09-19 at 15:07 -0700, Christian Ambach wrote:
> On 09/19/2012 01:40 PM, Christof Schmitt wrote:
> >
> > Passing a dbwrap handle to the code is an easy change. What
> > complicated things was that my approach was to fetch a locked record
> > and keep it locked during the DC authentication. The code in
> > schannel_state_tdb.c does not keep the lock, so this needs to be
> > changed, or an additional lock would be required to guarantee
> > exclusive access to the DC during the authentication.
> You could add a _locked variant that returns the record in locked state.
> > A related question: cm_prepare_connection in
> > source3/winbindd/winbindd_cm.c already uses a mutex. Can someone
> > describe what this mutex protects?
> There are some comments in auth/auth_domain.c explaining the need for 
> the mutex:
> /* we use a mutex to prevent two connections at once - when a·
>     Win2k PDC get two connections where one hasn't completed a·
>     session setup yet it will send a TCP reset to the first·
>     connection (tridge) */

To understand this, read 'reset on zero vc' in man smb.conf

> /*
>   * With NT4.x DC's *all* authentication must be serialized to avoid
>   * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA.
>   */

This to us not understanding the need for exactly this patch set, so a
finished patch set would remove this comment as obsolete, once this code
uses it as well. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list