Re: [Samba] Winbind deadlock with AD and nss

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ed,

 # time wbinfo -U 100
 S-1-22-1-100
 
 real0m0.047s
 user0m0.014s
 sys 0m0.007s
 
 # time wbinfo -U 1001
 S-1-22-1-1001
 
 real5m35.097s
 user0m0.015s
 sys 0m0.011s

Stop nscd if it is running.  There are some problems in 3.0.25
when interacting with nscd.  Winbindd does enough caching that its
not normally needed anyways (except possible in really large
environment to help take some load off of winbindd).




cheer,s jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG1aMlIR7qMdg1EfYRAgUKAKC7gNQXwUAMvu2vxltpPBMhdkDR7gCfW/fo
n/r21XlBwFXLzFTiiU9fApY=
=VkXX
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Winbind deadlock with AD and nss

[Ed Plese]

Hi,

I'm testing out Samba 3.0.25c with Active Directory using the rid
idmap backend.  In certain cases there seems to be a repeatable
deadlock in winbind.

I have a local user ed created with uid 100 and no user exists with
uid 1001.  Here's the behavior I'm seeing with wbinfo:

# time wbinfo -U 100
S-1-22-1-100

real0m0.047s
user0m0.014s
sys 0m0.007s

# time wbinfo -U 1001
S-1-22-1-1001

real5m35.097s
user0m0.015s
sys 0m0.011s

The first command behaves as expected but the expected result of the
second command is Could not convert uid 1001 to sid with an
execution time of much less than 1 second as is seen with Samba 3.0.24
and lower.

This is running on Solaris 10 (x86) and compiled with Sun Studio 11
using the OpenLDAP and MIT Kerberos 5 libraries from Blastwave.  The
exact same configuration works fine with 3.0.24 with the only
difference being the idmap configuration changes between 3.0.24 and
3.0.25.

In /etc/nsswitch.conf I have:
passwd: files winbind
group:  files winbind

During the query to winbindd, uid 1001 is not within the range used
for the MYAD rid backend which causes the lookup to then be attempted
by passdb.  passdb in turn calls getpwuid which ends up querying
winbind through nss_winbind which is what leads to the deadlock.

When I remove winbind from nsswitch.conf the 5 minute delay is gone
but wbinfo returns S-1-22-1-1001 which is different from what
previous Samba versions returned.

Here's the contents smb.conf:
[global]
  workgroup = MYAD
  realm = MYAD.ORG
  security = ads
  encrypt passwords = yes
  smb passwd file = /etc/samba/private/smbpasswd
  winbind separator = +
  winbind use default domain = yes
  winbind nested groups = no
  obey pam restrictions = yes
  winbind enum users = yes
  winbind enum groups = yes
  allow trusted domains = no
  idmap uid = 1-1
  idmap gid = 1-1
  idmap domains = MYAD
  idmap config MYAD: default = yes
  idmap config MYAD: backend = rid
  idmap config MYAD: range = 1-1
  idmap config MYAD: readonly = yes
  name resolve order = host
  dns proxy = no

In Samba versions prior to 3.0.25 the idmap options in smb.conf were:
   idmap uid = 1-1
   idmap gid = 1-1
   idmap backend = idmap_rid:MYAD=1-1

Is there something wrong with my new idmap configuration or is this a
bug?  3.0.25 implicitly adds the passdb backend which I don't think
older versions did.  Disabling this might fix the problem but is there
any way to do that?  Any other ideas on things to try?

Thanks,

Ed Plese
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba