7645 – long delays with winbind on VPN.

Bug 7645 - long delays with winbind on VPN.

Summary: long delays with winbind on VPN.

Status:	NEW

Alias:	None

Product:	Samba 3.5
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	3.5.4
Hardware:	Other Windows NT

Importance:	P3 normal
Target Milestone:	---
Assignee:	Michael Adam
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-08-25 04:11 UTC by David Woodhouse
Modified:	2010-08-25 04:11 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Woodhouse 2010-08-25 04:11:48 UTC

...or, more to the point, when I fall *off* the VPN. If I suspend my laptop and resume, for example, it'll fall off the VPN and then ask me for my password to unlock the screen.

And then it'll take about four minutes to authenticate me using winbind. That seems to be the amount of time it takes to realise that it's fallen off the corporate network. 

I think at the very least we need a timeout for individual authentication requests. If we have cached credentials and an online request takes more than 20 seconds, then we should abort the online request (or continue it in the background) and use the cached credentials to authenticate the user.

Implementation detail: Obviously we do still want the Kerberos tickets to be obtained for the user when this happens. We'll need to think about what triggers that -- currently I think it's a "joined domain" event which triggers the fetching of TGTs for users who have logged in offline, and we need to ensure that it still happens if we never fell *off* the domain but it was just being slow.


Instead of a timeout, I've also pondered the possibility of *always* doing offline authentication in the PAM auth call, and doing the rest of it from the PAM open_session or setcred calls.