On Sun, 15 Aug 2010 23:09:54 +0200, Henrik Nordström
<henrik_at_henriknordstrom.net> wrote:
> While trying to investigate Bug 2936 it seems the auth refcounting state
> in trunk is somewhat borked.
>
> The state of ntlm auth is considerably worse in trunk than 3.1.
>
> - Fails if external acls is used (any, not just with grace=.. as in 3.1)
any ideas why?
> - Fails with refcount error on second NTLM handshake.
If I've been following the snippets in IRC right, this is due to the
absorb() function which attempts to combine duplicate credentials and
maintain a single state. Which requires that the absorbed credentials be
discarded immediately after. The assert is there to make it obvious when
this requirement is broken.
The whole logic behind doing that absorb() for NTLM and Nego is out of
sync with how those protocols work. It seems to have worked previously
because we were not checking the discard requirement and letting the
parsing/handshake-only temporary set of credentials be used for the life of
the connection.
(NP: this old behaviour led to that bug about wrong credentials
usernameA being logged for a usernameB connection when they shared a token
or IP at the handover time).
It's only now needed to maintain the max_user_ip count and the cachemgr
dump of logged in users.
* Saving the latest copy of credentials to the username hash and ignoring
the absorb will work fine for the dump.
* I can't think of a way to do the max_user_ip cleanly (incrementing can
be done by absorb, but decrementing is trickier).
Amos
Received on Sun Aug 15 2010 - 23:26:13 MDT
This archive was generated by hypermail 2.2.0 : Mon Aug 16 2010 - 12:00:04 MDT