[PATCHES] Handle expired sessions in winbindd
Andrew Bartlett
abartlet at samba.org
Fri Jan 8 09:24:50 UTC 2016
On Thu, 2016-01-07 at 16:11 -0700, Christof Schmitt wrote:
> A SMB session from winbind to the DC can expire any time, when trying
> to
> connect to a pipe or when issuing a RPC call. Depending on which
> codepath receives the corresponding error code (SESSION_EXPIRED or
> IO_DEVICE_ERROR for RPC calls), the error is surfaced to the winbindd
> client, and can e.g. fail a SESSION_SETUP in smbd. This happened
> recently in a member server that is seeing many short-lived SMB
> connections and occassionally some of the getpwnam calls to winbindd
> fail due to the expired sessions.
>
> The attached patches catch the error and retry the same request on a
> new
> connection. The first patch is a hack to use the admember selftest
> environment for some testing. I was not sure of the best approach of
> getting some test coverage here. Maybe change the config of admember
> to
> use short-lived tickets, or create a new admember2 environment that
> uses
> a short ticket lifetime.
This approach is reasonable enough, and ad_dc doesn't have multiple DCs
in it, so you can just change that one KDC. However changing from
ad_dc_ntvfs to ad_dc will change some other things, perhaps fixing some
of the winbind flapping tests actually, because different other tests
will have run against it.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list