On Mon, 16 Aug 2010 02:51:33 +0200, Henrik Nordström <[email protected]> wrote: > sön 2010-08-15 klockan 23:26 +0000 skrev Amos Jeffries: > >> > - Fails if external acls is used (any, not just with grace=.. as in >> > 3.1) >> >> any ideas why? > > No, haven't really dug into the code yet. Was just observing to verify > that the claims in 2936 could be reproduced and found a much worse > situation than expected. > >> > - Fails with refcount error on second NTLM handshake. >> >> If I've been following the snippets in IRC right, this is due to the >> absorb() function which attempts to combine duplicate credentials and >> maintain a single state. Which requires that the absorbed credentials be >> discarded immediately after. The assert is there to make it obvious when >> this requirement is broken. > > Design error?
yes in teh user tracking. > > Was too long since I was in NTLM/Negotiate land (haven't seriously > touched it since throwing out the challenge reuse layer years ago) and > no longer remembers the details about this temp credentials and > absorbing.. but I do have a memory of it being a bit strange. Basic flow around that absorb is: create empty AuthUser "local_auth_user" use local_auth_user to parse the received credentials header * (a) authenticate the local_auth_user credentials!! lookup existing user of local_auth_user in the cache "usernamehash" absorb() the local_auth_user details into usernamehash replace current requests local_auth_user with usernamehash ** leave any state links from (a) out to dry. So, it should be fine forgoing the absorb() and simply updating the username hash cache with the freshly authed local_auth_user credentials. Or maybe reversing the absorb, so newer local_auth_user preserves any accounting history needed from usernamehash. I'm not sure what/how to check for max_user_ip though. There is a secondary flow though I think which should be preventing that re-auth on an existing pconn. I cant easily find the code path though. open pconn receives second request + credentials lookup conn->user() credentials verify token exists in AuthUser::proxy_match_cache * auth new token if need be, adding to the resulting user credentials proxy_match_cache. Amos
