Bug 618201
Summary: | Cached credentials with winbind not working | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Woodhouse <dwmw2> |
Component: | samba | Assignee: | Simo Sorce <ssorce> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 13 | CC: | gdeschner, jlayton, oded, ssorce |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | samba-3.5.5-68.fc13 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-09-15 05:22:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Woodhouse
2010-07-26 11:58:23 UTC
OK, so I exaggerated a little -- it wasn't hours for 'id' to complete; it was only 10½ minutes. [dwoodhou@i7 ews-sync]$ time id uid=10000(dwoodhou) gid=10000(domain users) groups=10000(domain users),10001,10002,10003,10004,10005,10006,10007,10008,10009,10010,10011,10012,10013,10014,10015,10016,10017,10018,10019,10020,10021,10022,10023,10024,10025,10026,10027,10028,10029,10030,10031,10032,10033,10034,10035,10036,10037 context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 real 10m18.571s This gives me a winbindd_cache.tdb which is about half a gigabyte, to be discarded next time winbindd starts up. As for the validation failure -- it looks like tdb_check() will always return failure without *any* log output if invoked on a read-only database. tdb_lockall() fails. Progress... now I can log in even when the VPN is down (although I have to wait a while after restarting winbindd; it's not instant). --- source3/lib/tdb_validate.c~ 2010-06-18 13:01:04.000000000 +0100 +++ source3/lib/tdb_validate.c 2010-07-26 14:39:48.304324895 +0100 @@ -50,6 +50,7 @@ static int tdb_validate_child(struct tdb */ ret = tdb_check(tdb, NULL, NULL); if (ret == -1) { + DEBUG(1, ("tdb_check failed\n")); v_status.tdb_error = True; v_status.success = False; goto out; @@ -192,7 +193,7 @@ int tdb_validate_open(const char *tdb_pa DEBUG(5, ("tdb_validate_open called for tdb '%s'\n", tdb_path)); - tdb = tdb_open_log(tdb_path, 0, TDB_DEFAULT, O_RDONLY, 0); + tdb = tdb_open_log(tdb_path, 0, TDB_DEFAULT, O_RDWR, 0); if (!tdb) { DEBUG(1, ("Error opening tdb %s\n", tdb_path)); return ret; Now, is there anything we ship that actually *uses* ntlm_auth to handle NTLM authentication? Firefox should, but it doesn't seem to work. Curl and libsoup don't, Evolution doesn't, ... Hm, even with the above patches it's not working correctly for SSH logins with key authentication (and therefore presumably won't work for gdm-autologin either). If we don't use a password to authenticate, then nothing ever calls add_ccache_to_list() at login time and winbindd never actually refreshes the Kerberos tickets as it's supposed to. This looks like something we should report upstream. *** Bug 592055 has been marked as a duplicate of this bug. *** samba-3.5.4-64.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/samba-3.5.4-64.fc13 Please include this too: https://bugzilla.samba.org/show_bug.cgi?id=7589#c2 samba-3.5.4-65.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/samba-3.5.4-65.fc13 samba-3.5.4-65.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update samba'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/samba-3.5.4-65.fc13 I crashed the update, but I'm not sure if it's a *new* crash. https://bugzilla.samba.org/show_bug.cgi?id=7636 samba-3.5.4-67.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/samba-3.5.4-67.fc13 samba-3.5.5-68.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/samba-3.5.5-68.fc13 samba-3.5.5-68.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. |