[Bug 1643602] Re: Graphical privilege escalation fails (AD auth via sssd, polkit)
Ubuntu LTS xenial is still with SSSD 1.13, so, with this bug :-( this discourages the use of ubuntu in business, it's sad .. Any bug fix or backport planed for this bug ? Many thank's to all ! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1643602 Title: Graphical privilege escalation fails (AD auth via sssd, polkit) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1643602/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1034869] [NEW] winbind normalize names = yes disable winbind cache mechanism and cause LDAP heavy load / poor performances
Public bug reported:
Context :
Description:Ubuntu 12.04 LTS
Release:12.04
samba:
Installed: 2:3.6.3-2ubuntu2.3
Candidate: 2:3.6.3-2ubuntu2.3
Version table:
*** 2:3.6.3-2ubuntu2.3 0
500 ftp://debmirror.parkeon.com/ubuntu/ precise-updates/main amd64
Packages
100 /var/lib/dpkg/status
2:3.6.3-2ubuntu2.1 0
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64
Packages
2:3.6.3-2ubuntu2 0
500 ftp://debmirror.parkeon.com/ubuntu/ precise/main amd64 Packages
client linux Ubuntu 12.04 SSO authentification against Microsoft 2008 AD
server, Winbind 3.6.3 (Ubuntu 12.04 LTS, Linux 3.2.0-27-generic, winbind
2:3.6.3-2ubuntu2.3 )
Problem Desciption :
I'have discovered that setting option winbind normalize names = yes
cause winbind client to send LDAP search for each username/group
resolution even those in cache. Setting this option to No makes
winbind use cache, setting winbind in offline mode works fine too
(smbcontrol winbind offline). This behavior cause heavy load on
client/server if resolving a full tree files or simply slow down apache
SSO authentification based on winbind as each web object read will cause
multiple LDAP search before serving.
How to reproduce :
run shell command
# id pnomblot
will makes winbind send 3 LDAP search to solve pnomblot alias (can be
checked with wireshark)
for i in {0..10}; do id pnomblot ;done
cause 30 ldap search to be send to ldap server to solve the same id.
for example, deja-dup backup plus cause million of LDAP request parsing
files ...
My smb.conf :
[global]
workgroup = nomblot.org
realm = nomblot.org
security = ads
domain master = no
local master = no
allow trusted domains = no
socket options = TCP_NODELAY
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets and keytab
password server = *
client ntlmv2 auth = yes
idmap config NOMBLOT:backend = ad
idmap config NOMBLOT:default = yes
idmap config NOMBLOT:schema_mode = rfc2307
idmap config NOMBLOT:range = 500 - 3
idmap config *:backend = ad
idmap config *:range = 500 - 3
idmap cache time = 1209600
idmap negative cache time = 1209600
username map cache time = 300
winbind cache time = 300
winbind expand groups = 10
winbind use default domain = yes
winbind refresh tickets = yes
winbind nss info = rfc2307
winbind offline logon = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind reconnect delay = 5
winbind normalize names = yes
dns proxy = no
log file = /var/log/samba/log.%m
log level = 0 idmap:0 winbind:1
max log size = 1000
obey pam restrictions = yes
pam password change = yes
name resolve order = host
create krb5 conf = no
private dir = /var/lib/samba
state directory = /var/lib/samba
cache directory = /var/cache/samba
lock directory = /var/lib/samba
pid directory = /var/run
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
invalid users = root daemon bin sys sync games man lp ...
#end of smb.conf
Thank's for your help
Patrick.
** Affects: samba (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1034869
Title:
winbind normalize names = yesdisable winbind cache mechanism and
cause LDAP heavy load / poor performances
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1034869/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1034869] [NEW] winbind normalize names = yes disable winbind cache mechanism and cause LDAP heavy load / poor performances
Public bug reported:
Context :
Description:Ubuntu 12.04 LTS
Release:12.04
samba:
Installed: 2:3.6.3-2ubuntu2.3
Candidate: 2:3.6.3-2ubuntu2.3
Version table:
*** 2:3.6.3-2ubuntu2.3 0
500 ftp://debmirror.parkeon.com/ubuntu/ precise-updates/main amd64
Packages
100 /var/lib/dpkg/status
2:3.6.3-2ubuntu2.1 0
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64
Packages
2:3.6.3-2ubuntu2 0
500 ftp://debmirror.parkeon.com/ubuntu/ precise/main amd64 Packages
client linux Ubuntu 12.04 SSO authentification against Microsoft 2008 AD
server, Winbind 3.6.3 (Ubuntu 12.04 LTS, Linux 3.2.0-27-generic, winbind
2:3.6.3-2ubuntu2.3 )
Problem Desciption :
I'have discovered that setting option winbind normalize names = yes
cause winbind client to send LDAP search for each username/group
resolution even those in cache. Setting this option to No makes
winbind use cache, setting winbind in offline mode works fine too
(smbcontrol winbind offline). This behavior cause heavy load on
client/server if resolving a full tree files or simply slow down apache
SSO authentification based on winbind as each web object read will cause
multiple LDAP search before serving.
How to reproduce :
run shell command
# id pnomblot
will makes winbind send 3 LDAP search to solve pnomblot alias (can be
checked with wireshark)
for i in {0..10}; do id pnomblot ;done
cause 30 ldap search to be send to ldap server to solve the same id.
for example, deja-dup backup plus cause million of LDAP request parsing
files ...
My smb.conf :
[global]
workgroup = nomblot.org
realm = nomblot.org
security = ads
domain master = no
local master = no
allow trusted domains = no
socket options = TCP_NODELAY
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets and keytab
password server = *
client ntlmv2 auth = yes
idmap config NOMBLOT:backend = ad
idmap config NOMBLOT:default = yes
idmap config NOMBLOT:schema_mode = rfc2307
idmap config NOMBLOT:range = 500 - 3
idmap config *:backend = ad
idmap config *:range = 500 - 3
idmap cache time = 1209600
idmap negative cache time = 1209600
username map cache time = 300
winbind cache time = 300
winbind expand groups = 10
winbind use default domain = yes
winbind refresh tickets = yes
winbind nss info = rfc2307
winbind offline logon = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind reconnect delay = 5
winbind normalize names = yes
dns proxy = no
log file = /var/log/samba/log.%m
log level = 0 idmap:0 winbind:1
max log size = 1000
obey pam restrictions = yes
pam password change = yes
name resolve order = host
create krb5 conf = no
private dir = /var/lib/samba
state directory = /var/lib/samba
cache directory = /var/cache/samba
lock directory = /var/lib/samba
pid directory = /var/run
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
invalid users = root daemon bin sys sync games man lp ...
#end of smb.conf
Thank's for your help
Patrick.
** Affects: samba (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1034869
Title:
winbind normalize names = yesdisable winbind cache mechanism and
cause LDAP heavy load / poor performances
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1034869/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
