----- Original Message -----
> On Tue, 21 Aug 2012, Simo Sorce wrote:
> >----- Original Message -----
> >> Hi,
> >> https://fedorahosted.org/freeipa/ticket/3009
> >What prevents this patch from causing an infinite loop if we keep
> >getting the same error back at each interaction ?
> The loop is triggered when kerberos credentials were obtained
> successfully based on cached credentials in the ccache but SASL
> operation denied them. At this point a code after notdone label will
> wipe out content of the ccache and attempt to acquire credentials
> online based on the content of samba's keytab.
> Obtained credentials will be put into the ccache for further cached
> If any step in acquiring credentials fails, the callback returns with
> LDAP_LOCAL_ERROR, effectively ending current SASL auth attempt. On
> higher level smbldap API user retries several times (up to two dozen
> times) to authenticate and on complete failure calls smb_panic().
> If credentials were acquired at previous step correctly SASL step
> cannot fail
> with LDAP_INVALID_CREDENTIALS, there will be another error message,
> either LDAP_INAPPROPRIATE_AUTH or LDAP_INSUFFICIENT_ACCESS. In case
> FreeIPA setup we shouldn't remaining security error,
> LDAP_X_PROXY_AUTHZ_FAILURE. Any of those will get us out of the loop.
> Thus, this loop is run at most twice.
Ok, then ACK.
Freeipa-devel mailing list