[Freeipa-devel] [PATCH] 0071 Recover from invalid cached credentials in ipasam
Simo Sorce
ssorce at redhat.com
Tue Aug 21 09:59:16 UTC 2012
----- Original Message -----
> On Tue, 21 Aug 2012, Simo Sorce wrote:
> >----- Original Message -----
> >> Hi,
> >>
> >> https://fedorahosted.org/freeipa/ticket/3009
> >
> >What prevents this patch from causing an infinite loop if we keep
> >getting the same error back at each interaction ?
>
> The loop is triggered when kerberos credentials were obtained
> successfully based on cached credentials in the ccache but SASL
> operation denied them. At this point a code after notdone label will
> wipe out content of the ccache and attempt to acquire credentials
> online based on the content of samba's keytab.
>
> Obtained credentials will be put into the ccache for further cached
> use.
>
> If any step in acquiring credentials fails, the callback returns with
> LDAP_LOCAL_ERROR, effectively ending current SASL auth attempt. On
> higher level smbldap API user retries several times (up to two dozen
> times) to authenticate and on complete failure calls smb_panic().
>
> If credentials were acquired at previous step correctly SASL step
> cannot fail
> with LDAP_INVALID_CREDENTIALS, there will be another error message,
> either LDAP_INAPPROPRIATE_AUTH or LDAP_INSUFFICIENT_ACCESS. In case
> of
> FreeIPA setup we shouldn't remaining security error,
> LDAP_X_PROXY_AUTHZ_FAILURE. Any of those will get us out of the loop.
>
> Thus, this loop is run at most twice.
Ok, then ACK.
Simo.
More information about the Freeipa-devel
mailing list