[PATCH] s3-winbindd: Store schannel credentials in secrets.tdb
Andrew Bartlett
abartlet at samba.org
Fri Mar 22 06:11:30 MDT 2013
On Fri, 2012-10-05 at 09:08 +1000, Andrew Bartlett wrote:
> On Thu, 2012-10-04 at 15:56 -0700, Christof Schmitt wrote:
> > Andrew Bartlett <abartlet at samba.org> wrote on 10/03/2012 06:46:54 PM:
> >
> > > However you do it, you do need to serialise the sequence number updates
> > > for send, but a restructure may avoid you needing to serialise the whole
> > > request/reply chain. Essentially, we both probably need to read up the
> > > docs, and see if instead we can store an expected reply for a given
> > > sequence number. That would avoid needing to lock over the network ops
> > > waiting for the reply.
> >
> > I started looking into this part and reading MS-NRPC. Using the lock
> > only for sending the request would mean using the async calls
> > dcerpc_netr_LogonSamLogon_send() and dcerpc_netr_LogonSamLogon_recv()
> > instead of the sync one dcerpc_netr_LogonSamLogon().
> >
> > netlogon_creds_client_check() is simply a memcmp(), so the client
> > already has the expected reply for verifying the server response.
> >
> > Besides LogonSamLogon, the same changes have to be made for all calls
> > using the struct netr_Authenticator.
> >
> > Looking at the code, source3/rpc_client/cli_netlogon.c might be a good
> > place to make those changes. Maybe this file would be also a better
> > place to access the schannel tdb.
> >
> > I will continue from here, just let me know in case i am heading in
> > the wrong direction.
>
> Even better would be a set of generic, async wrappers around the
> dcerpc_netr_LogonSamLogon_send() and dcerpc_netr_LogonSamLogon_recv()
> (et al) calls that fills in the authenticator on the way out, and check
> it on the way back.
>
> We are trying to push the async layer up the stack as far as possible,
> so it would be best if new code didn't make that harder. (Particularly
> for crypto code, which few dare to touch once implemented :-)
Christof,
I had someone ask me about this recently. Where did we end up with
this?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list