[PATCH] s3-winbindd: Store schannel credentials in secrets.tdb
Andrew Bartlett
abartlet at samba.org
Wed Sep 19 19:12:57 MDT 2012
On Wed, 2012-09-19 at 15:07 -0700, Christian Ambach wrote:
> On 09/19/2012 01:40 PM, Christof Schmitt wrote:
> >
> > Passing a dbwrap handle to the code is an easy change. What
> > complicated things was that my approach was to fetch a locked record
> > and keep it locked during the DC authentication. The code in
> > schannel_state_tdb.c does not keep the lock, so this needs to be
> > changed, or an additional lock would be required to guarantee
> > exclusive access to the DC during the authentication.
>
> You could add a _locked variant that returns the record in locked state.
>
> > A related question: cm_prepare_connection in
> > source3/winbindd/winbindd_cm.c already uses a mutex. Can someone
> > describe what this mutex protects?
>
> There are some comments in auth/auth_domain.c explaining the need for
> the mutex:
>
> /* we use a mutex to prevent two connections at once - when a·
> Win2k PDC get two connections where one hasn't completed a·
> session setup yet it will send a TCP reset to the first·
> connection (tridge) */
To understand this, read 'reset on zero vc' in man smb.conf
> /*
> * With NT4.x DC's *all* authentication must be serialized to avoid
> * ACCESS_DENIED errors if 2 auths are done from the same machine. JRA.
> */
This to us not understanding the need for exactly this patch set, so a
finished patch set would remove this comment as obsolete, once this code
uses it as well.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list