[PATCH] s3-winbindd: Store schannel credentials in secrets.tdb

Christof Schmitt christof.schmitt at us.ibm.com
Tue Sep 25 18:01:50 MDT 2012


Andrew Bartlett <abartlet at samba.org> wrote on 09/19/2012 06:12:57 PM:

> On Wed, 2012-09-19 at 15:07 -0700, Christian Ambach wrote:
> > On 09/19/2012 01:40 PM, Christof Schmitt wrote:
> > >
> > > Passing a dbwrap handle to the code is an easy change. What
> > > complicated things was that my approach was to fetch a locked record
> > > and keep it locked during the DC authentication. The code in
> > > schannel_state_tdb.c does not keep the lock, so this needs to be
> > > changed, or an additional lock would be required to guarantee
> > > exclusive access to the DC during the authentication.
> > 
> > You could add a _locked variant that returns the record in locked 
state.

Here is a new patch series that switches schannel_state_tdb to dbwrap,
adds _locked variants and uses those in winbindd_cm. With these
patches, smbtorture base.bench now runs on a cluster without errors,
this is the test where we first found this issue.

> > > A related question: cm_prepare_connection in
> > > source3/winbindd/winbindd_cm.c already uses a mutex. Can someone
> > > describe what this mutex protects?
> > 
> > There are some comments in auth/auth_domain.c explaining the need for 
> > the mutex:
> > 
> > /* we use a mutex to prevent two connections at once - when a·
> >     Win2k PDC get two connections where one hasn't completed a·
> >     session setup yet it will send a TCP reset to the first·
> >     connection (tridge) */
> 
> To understand this, read 'reset on zero vc' in man smb.conf
> 
> > /*
> >   * With NT4.x DC's *all* authentication must be serialized to avoid
> >   * ACCESS_DENIED errors if 2 auths are done from the same machine. 
JRA.
> >   */
> 
> This to us not understanding the need for exactly this patch set, so a
> finished patch set would remove this comment as obsolete, once this code
> uses it as well. 

Thanks for the explanation. My understanding is that the schannel
problem is different from the one when first establishing sessions, so
we need to keep that mutex.

Regards,

Christof Schmitt || IBM || SONAS System Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469  (T/L: 321-2469)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-auth-Use-dbwrap-for-accessing-tdb-in-schannel_state_.patch
Type: application/octet-stream
Size: 8830 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120925/57426037/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-auth-Introduce-_locked-functions-in-schannel_state_t.patch
Type: application/octet-stream
Size: 7172 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120925/57426037/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-s3-winbindd-Store-schannel-credentials-for-reuse.patch
Type: application/octet-stream
Size: 5683 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120925/57426037/attachment-0002.obj>


More information about the samba-technical mailing list