[PATCH] Next round of netlogon_cli_creds refactoring

Andrew Bartlett abartlet at samba.org
Sun Sep 17 03:36:17 UTC 2017

On Sun, 2017-09-17 at 04:23 +0200, Volker Lendecke wrote:
> On Sun, Sep 17, 2017 at 02:17:36PM +1200, Andrew Bartlett wrote:
> > These look good so far.  I'll review them in the next day or so. 
> > 
> > I'm just curious what the end goal of this is, you seem to be on a
> > particular path and it helps to know the destination for context.
> There's at least two deficiencies in the netlogon_creds_cli code.
> First, we do a G_LOCK_WRITE lock when doing an schannel bind. This
> should be a G_LOCK_READ. The second one is more important: When
> multiple winbinds simultaneously find the netlogon creds missing they
> all enter a G_LOCK_WRITE, but once they got the lock they don't
> re-check if someone else has properly established a serverauth. I've
> seen literally 5000 (five thousand) winbinds in a cluster waiting for
> the g_lock to do the serverauth. To get those two right we need to
> make the locking more flexible.
> To actually figure those two out and eventually fix them it took me a
> while to understand the code. On my way I found some places to make
> the code more understandable to me, and I could not keep my hands off.


It continues to really inspire me how we have, in all parts of Samba,
gone well past 'make it work' to 'make it work well in extreme
situation X'. 

I remember writing (part of) that comment you moved about SamLogonEx,
and it is so nice to have an infrastructure like the netlogon_cli_creds
that solves the problem properly.  It was really easy to plug in for
more calls when we had to implement SendToSam recently. 

Thanks for all your hard work to make this even better!

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list