No maintenance mode here, I primarily saw the auth errors when we took the server all the way down for maintenance.
Is the Zimbra internal auth by any chance kerberos-like? i.e. does a client get credentials that are renewable, but after a period of time they need to be completely refreshed? Could a client come online after a period of inactivity with credentials that appeared OK but were considered expired by the server?
Currently, this error is only happening for laptop users who may be disconnected from the server for extended periods of time. However, short sleeps or disconnections on the laptops don't cause this. It only happens afters several days. Given that it does not happen on desktops that are always on and connected, I'm wondering if there is some renew/refresh mechanism for client credentials that these laptops cannot perform because they are disconnected. Then, when they get back online and try to renew creds, they have credentials in some state that cannot be renewed, leading to this exception.
In kerberos-land, this would be equivalent to getting a ticket with a duration of X hours that can be renewed for Y days. A client can renew the ticket repeatedly within Y days, but after Y days are up, a complete re-auth is required. If a client were offline when the time went past Y days, then came back online, the credentials could not be renewed without a complete refresh. If the client was in any way unaware that the creds were expired and tried to use them, it would yield similar errors.
No idea if Zimbra auth works like this at all, but there are some parallels... just brainstorming,
-Mike
Last edited by mikelcu; 03-17-2009 at 12:13 PM..
|