Hi,
I have found some minor issues with automatic ticket renewal while testing.
If random ccache file names are used the name of the ccache file should be kept if the user is not logged in, but the TGT is still renewable.
If a user logs in and out repeatedly and random names are used a new hash entry is created for every new ticket. The old entries just eat away some memory because the related ccache file is already deleted. Using the user name as the hash key solves this, because currently sssd (and MIT Kerberos) support one ccache per user.
bye, Sumit
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/14/2010 04:17 AM, Sumit Bose wrote:
Hi,
I have found some minor issues with automatic ticket renewal while testing.
If random ccache file names are used the name of the ccache file should be kept if the user is not logged in, but the TGT is still renewable.
If a user logs in and out repeatedly and random names are used a new hash entry is created for every new ticket. The old entries just eat away some memory because the related ccache file is already deleted. Using the user name as the hash key solves this, because currently sssd (and MIT Kerberos) support one ccache per user.
Nack.
For future compatibility, it would be better if we keyed on the principal, rather than the username. Then we can support in the future one user with one ccache per principal.
We're actively working with MIT to try and get them to support multiple simultaneous TGTs, and I'd really like for us not to have to re-fix this when that comes through.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
On Tue, Dec 14, 2010 at 12:21:39PM -0500, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/14/2010 04:17 AM, Sumit Bose wrote:
Hi,
I have found some minor issues with automatic ticket renewal while testing.
If random ccache file names are used the name of the ccache file should be kept if the user is not logged in, but the TGT is still renewable.
If a user logs in and out repeatedly and random names are used a new hash entry is created for every new ticket. The old entries just eat away some memory because the related ccache file is already deleted. Using the user name as the hash key solves this, because currently sssd (and MIT Kerberos) support one ccache per user.
Nack.
For future compatibility, it would be better if we keyed on the principal, rather than the username. Then we can support in the future one user with one ccache per principal.
We're actively working with MIT to try and get them to support multiple simultaneous TGTs, and I'd really like for us not to have to re-fix this when that comes through.
ok, the new patch uses the principal. I have added another patch to allow a delete callback to be passed to sss_hash_create(). This is useful if hash_enter() is used to update entries.
bye, Sumit
Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0Hp6IACgkQeiVVYja6o6MzJQCgsQ0P+IhTlV8Ldq2gnKGZ8G79 53AAn2v04ALFP+qrJKW3sx3N69CrhDKK =aaba -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/17/2010 05:31 AM, Sumit Bose wrote:
On Tue, Dec 14, 2010 at 12:21:39PM -0500, Stephen Gallagher wrote:
Nack.
For future compatibility, it would be better if we keyed on the principal, rather than the username. Then we can support in the future one user with one ccache per principal.
We're actively working with MIT to try and get them to support multiple simultaneous TGTs, and I'd really like for us not to have to re-fix this when that comes through.
ok, the new patch uses the principal. I have added another patch to allow a delete callback to be passed to sss_hash_create(). This is useful if hash_enter() is used to update entries.
Patch 0001: Nack I'd rather that you split out sss_hash_create() and sss_hash_create_ex(). The sss_hash_create() should omit the delete callback information. I would prefer sss_hash_create() to be the common case.
Patch 0002: Nack Will need to be updated to match the above change Fix the patch commit comment to say "principal" rather than username Otherwise, the patch looks good.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
On Fri, Dec 17, 2010 at 04:13:18PM -0500, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/17/2010 05:31 AM, Sumit Bose wrote:
On Tue, Dec 14, 2010 at 12:21:39PM -0500, Stephen Gallagher wrote:
Nack.
For future compatibility, it would be better if we keyed on the principal, rather than the username. Then we can support in the future one user with one ccache per principal.
We're actively working with MIT to try and get them to support multiple simultaneous TGTs, and I'd really like for us not to have to re-fix this when that comes through.
ok, the new patch uses the principal. I have added another patch to allow a delete callback to be passed to sss_hash_create(). This is useful if hash_enter() is used to update entries.
Patch 0001: Nack I'd rather that you split out sss_hash_create() and sss_hash_create_ex(). The sss_hash_create() should omit the delete callback information. I would prefer sss_hash_create() to be the common case.
Patch 0002: Nack Will need to be updated to match the above change Fix the patch commit comment to say "principal" rather than username Otherwise, the patch looks good.
New patches attached.
bye, Sumit
Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0L0m4ACgkQeiVVYja6o6PmgwCfVPK7xWXB57coNTI57MEXoI+9 Xv0AoI+/VWdF2Giyq5QMsa3PJQTLUayZ =0Kki -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/20/2010 06:16 AM, Sumit Bose wrote:
On Fri, Dec 17, 2010 at 04:13:18PM -0500, Stephen Gallagher wrote: Patch 0001: Nack I'd rather that you split out sss_hash_create() and sss_hash_create_ex(). The sss_hash_create() should omit the delete callback information. I would prefer sss_hash_create() to be the common case.
Patch 0002: Nack Will need to be updated to match the above change Fix the patch commit comment to say "principal" rather than username Otherwise, the patch looks good.
New patches attached.
Ack to both.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/20/2010 09:31 AM, Stephen Gallagher wrote:
On 12/20/2010 06:16 AM, Sumit Bose wrote:
On Fri, Dec 17, 2010 at 04:13:18PM -0500, Stephen Gallagher wrote: Patch 0001: Nack I'd rather that you split out sss_hash_create() and sss_hash_create_ex(). The sss_hash_create() should omit the delete callback information. I would prefer sss_hash_create() to be the common case.
Patch 0002: Nack Will need to be updated to match the above change Fix the patch commit comment to say "principal" rather than username Otherwise, the patch looks good.
New patches attached.
Ack to both.
Pushed to master.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
sssd-devel@lists.fedorahosted.org
-
Stephen Gallagher -
Sumit Bose