When parameter "client ldap sasl wrapping" is set to "signed" or "sealed", ldap connections are not being reused. Each ldap query to the same DC results in closing the previous ldap connection and opening a new one with all the sasl binding process.
The reopening of the connection involves several round-trips which has significance where RTT is not negligible or where other network issues exist.
The issue can be evident from the packet traces and logs of https://bugzilla.samba.org/show_bug.cgi?id=11259:
- The scenrario is two users doing session setup one after the other. First user uris, then user uris2.
- For each user, an ldap query is made to retrieve info on the user (which is the subject of that bug)
- In packet 21314 we see that winbindd closes the ldap connection that was created to cater user uris, and then immediately starts the process of opening a new connection to cater user uris2.
- The log shows in line 23269:
"Current tickets expire in -1430903792 seconds (at 0, time is now 1430903792)"
i.e. the end time of the tgt or the service ticket is not recorded in the ads struct.
Created attachment 11039 [details]
Created attachment 11041 [details]
Slight change to deal with context already expired.
Does this also work for you ?
Created attachment 11048 [details]
git-am fix for master.
Updated to use GSS_ constants.
Created attachment 11051 [details]
git-am cherry-pick from master for 4.2.next, 4.1.next.
Cherry-pick applies cleanly to 4.2.next, 4.1.next. Ralph please review !
Re-assigning to Karolin for inclusion in 4.2.next, 4.1.next.
Pushed to autobuild-v4-[1|2]-test.
(In reply to Karolin Seeger from comment #6)
Pushed to both brnches.
Closing out bug report.