----- Original Message -----
> On Tue, 21 Aug 2012, Simo Sorce wrote:
> >----- Original Message -----
> >> Hi,
> >>
> >> https://fedorahosted.org/freeipa/ticket/3009
> >
> >What prevents this patch from causing an infinite loop if we keep
> >getting the same error back at each interaction ?
> 
> The loop is triggered when kerberos credentials were obtained
> successfully based on cached credentials in the ccache but SASL
> operation denied them. At this point a code after notdone label will
> wipe out content of the ccache and attempt to acquire credentials
> online based on the content of samba's keytab.
> 
> Obtained credentials will be put into the ccache for further cached
> use.
> 
> If any step in acquiring credentials fails, the callback returns with
> LDAP_LOCAL_ERROR, effectively ending current SASL auth attempt. On
> higher level smbldap API user retries several times (up to two dozen
> times) to authenticate and on complete failure calls smb_panic().
> 
> If credentials were acquired at previous step correctly SASL step
> cannot fail
> with LDAP_INVALID_CREDENTIALS, there will be another error message,
> either LDAP_INAPPROPRIATE_AUTH or LDAP_INSUFFICIENT_ACCESS. In case
> of
> FreeIPA setup we shouldn't remaining security error,
> LDAP_X_PROXY_AUTHZ_FAILURE. Any of those will get us out of the loop.
> 
> Thus, this loop is run at most twice.

Ok, then ACK.

Simo.

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to