Bug#553923: marked as done (winbind: idmap_rid cache becomes corrupted when mixing group and user queries)

Debian Bug Tracking System Mon, 02 Nov 2009 10:44:13 -0800

Your message dated Mon, 2 Nov 2009 18:40:28 +0100
with message-id <[email protected]>
and subject line Re: [Pkg-samba-maint] Bug#553923: Winbind idmap solved by 
upgrading to 3.4
has caused the Debian Bug report #553923,
regarding winbind: idmap_rid cache becomes corrupted when mixing group and user 
queries
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
553923: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553923
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: winbind
Version: 2:3.2.5-4lenny7
Severity: important

I have investigated a strange issue on a system not allowing users to login.
It appeared that the winbind cache eventually got corrupt when mixing group 
queries and user queries.

I am using the idmap_rid allocator.

If one queries with "wbinfo -G" for a group whose id is indeed a user id, that 
user won't exist any more in winbind

Example on a sane system:

e...@pp2tnce10c:~$ wbinfo -i 'PREPROD\jcb'
jcb:*:11129:10513:XXXXXXXXXXXXXXX YYYYYY:/home/PREPROD+jcb:/bin/bash


How to get a corrupt system (different from the first one, though)

## Step 1 : Try to group-resolve a user id
e...@pp2tnsa10c:~$ wbinfo -G 11129
S-1-5-21-4162644616-3733566000-1282571631-1129

## Step 2 : You can check that jcb's account is locked because his SID is now 
associated to a group account in winbind cache
e...@pp2tnsa10c:~$ id jcb
id: jcb: No such user
e...@pp2tnsa10c:~$ wbinfo -s S-1-5-21-4162644616-3733566000-1282571631-1129
PREPROD\jcb 1
e...@pp2tnsa10c:~$ wbinfo -n 'PREPROD\jcb'
S-1-5-21-4162644616-3733566000-1282571631-1129 User (1)
e...@pp2tnsa10c:~$ wbinfo -i 'PREPROD\jcb'
Could not get info for user PREPROD\jcb
##############

For some reason, this occurs without intent on one of my systems.
If you want the locked account to be able to log in again, you have to wait for 
the positive ttl to expire, or to manually clean up winbind caches.

I attach my smb.conf so that one can easily reproduce

e...@pp2tnsa10c:~$ testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
[global]
        workgroup = PREPROD
        realm = PREPROD.COMPANY.COM
        security = ADS
        restrict anonymous = 2
        client NTLMv2 auth = Yes
        use kerberos keytab = Yes
        idmap domains = PREPROD, CORP, OTHERTRUSTED
        template homedir = /home/%D+%U
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        idmap config OTHERTRUSTED:range = 70000 - 79999
        idmap config OTHERTRUSTED:backend = tdb
        idmap config CORP:range = 50000 - 69999
        idmap config CORP:backend = rid
        idmap config PREPROD:range = 10000 - 49999
        idmap config PREPROD:backend = rid


-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (800, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages winbind depends on:
ii  adduser         3.110                    add and remove users and groups
ii  libc6           2.7-18                   GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libkrb53        1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii  libldap-2.4-2   2.4.11-1                 OpenLDAP libraries
ii  libpam0g        1.0.1-5+lenny1           Pluggable Authentication Modules l
ii  libpopt0        1.14-4                   lib for parsing cmdline parameters
ii  libtalloc1      1.2.0~git20080616-1      hierarchical pool based memory all
ii  libwbclient0    2:3.2.5-4lenny7          client library for interfacing wit
ii  lsb-base        3.2-20                   Linux Standard Base 3.2 init scrip
ii  samba-common    2:3.2.5-4lenny7          Samba common files used by both th

winbind recommends no packages.

winbind suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Version: 2:3.4.2-1

Quoting Castan Eric ([email protected]):
> I forgot to add that I tried packages from backports.org (
> 2:3.4.2-1~bpo50+3 ) and the problem does not exist any more in samba 3.4

Thanks for reporting this: I was about asking you to try reproducing
the issue with a backported package..:-)

I'm not sure we will easily find out what upstream change fixed that
and if it's worth it to try fixing this in lenny.

Let's record that the bug is fixed in unstable and squeeze, then.

signature.asc
Description: Digital signature

--- End Message ---

Bug#553923: marked as done (winbind: idmap_rid cache becomes corrupted when mixing group and user queries)

Reply via email to