[Freeipa-devel] [PATCH] 0071 Recover from invalid cached credentials in ipasam
Alexander Bokovoy
abokovoy at redhat.com
Tue Aug 21 07:11:57 UTC 2012
On Tue, 21 Aug 2012, Simo Sorce wrote:
>----- Original Message -----
>> Hi,
>>
>> https://fedorahosted.org/freeipa/ticket/3009
>
>What prevents this patch from causing an infinite loop if we keep getting the same error back at each interaction ?
The loop is triggered when kerberos credentials were obtained
successfully based on cached credentials in the ccache but SASL
operation denied them. At this point a code after notdone label will
wipe out content of the ccache and attempt to acquire credentials
online based on the content of samba's keytab.
Obtained credentials will be put into the ccache for further cached use.
If any step in acquiring credentials fails, the callback returns with
LDAP_LOCAL_ERROR, effectively ending current SASL auth attempt. On
higher level smbldap API user retries several times (up to two dozen
times) to authenticate and on complete failure calls smb_panic().
If credentials were acquired at previous step correctly SASL step cannot fail
with LDAP_INVALID_CREDENTIALS, there will be another error message,
either LDAP_INAPPROPRIATE_AUTH or LDAP_INSUFFICIENT_ACCESS. In case of
FreeIPA setup we shouldn't remaining security error,
LDAP_X_PROXY_AUTHZ_FAILURE. Any of those will get us out of the loop.
Thus, this loop is run at most twice.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list