On Sun, 15 Aug 2010 23:09:54 +0200, Henrik Nordström <[email protected]> wrote: > While trying to investigate Bug 2936 it seems the auth refcounting state > in trunk is somewhat borked. > > The state of ntlm auth is considerably worse in trunk than 3.1. > > - Fails if external acls is used (any, not just with grace=.. as in 3.1)
any ideas why? > - Fails with refcount error on second NTLM handshake. If I've been following the snippets in IRC right, this is due to the absorb() function which attempts to combine duplicate credentials and maintain a single state. Which requires that the absorbed credentials be discarded immediately after. The assert is there to make it obvious when this requirement is broken. The whole logic behind doing that absorb() for NTLM and Nego is out of sync with how those protocols work. It seems to have worked previously because we were not checking the discard requirement and letting the parsing/handshake-only temporary set of credentials be used for the life of the connection. (NP: this old behaviour led to that bug about wrong credentials usernameA being logged for a usernameB connection when they shared a token or IP at the handover time). It's only now needed to maintain the max_user_ip count and the cachemgr dump of logged in users. * Saving the latest copy of credentials to the username hash and ignoring the absorb will work fine for the dump. * I can't think of a way to do the max_user_ip cleanly (incrementing can be done by absorb, but decrementing is trickier). Amos
