[Samba] [PATCH] Workaround very slow nss_winbind, fix crash on the AD DC (particularly for backups)

Mon, 17 Jun 2013 19:50:01 -0700 

This patch attempts to address an issue some have reported where our
nss_winbind is even slower than it's simple non-caching implementation
needs to be.

I think this comes from us not handling the BUILTIN domain properly, and
so we constantly attempt to contact the DC, and then fail an internal
validation step, throwing away that connection.  

I think this is also the cause of crashes folks have seen.

Can I get some confirmation that this helps, so I can merge this into
master (and then 4.0.x)?

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org


>From 286b4da879f3a3f7e24df7d31950cb72025f92ec Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abart...@samba.org>
Date: Sat, 15 Jun 2013 23:01:44 +1000
Subject: [PATCH] s4-winbind: Add special case for BUILTIN domain

This should mean that lookups for the BUILTIN domain cause less trouble
then they have in the past, because they will no longer go via the
trusted domain handler.

Andrew Bartlett
---
 source4/winbind/wb_dom_info.c    |  5 +++--
 source4/winbind/wb_init_domain.c | 38 ++++++++++++++++++++------------------
 source4/winbind/wb_sid2domain.c  | 14 ++++++++++++++
 3 files changed, 37 insertions(+), 20 deletions(-)

diff --git a/source4/winbind/wb_dom_info.c b/source4/winbind/wb_dom_info.c
index e2b5def..8c08c73 100644
--- a/source4/winbind/wb_dom_info.c
+++ b/source4/winbind/wb_dom_info.c
@@ -67,9 +67,10 @@ struct composite_context *wb_get_dom_info_send(TALLOC_CTX *mem_ctx,
 	state->info->sid = dom_sid_dup(state->info, sid);
 	if (state->info->sid == NULL) goto failed;
 
-	if ((lpcfg_server_role(service->task->lp_ctx) != ROLE_DOMAIN_MEMBER) &&
+	if (dom_sid_equal(sid, &global_sid_Builtin) || 
+	    ((lpcfg_server_role(service->task->lp_ctx) != ROLE_DOMAIN_MEMBER) &&
 	    dom_sid_equal(sid, service->primary_sid) &&
-	    service->sec_channel_type != SEC_CHAN_RODC) {
+	     service->sec_channel_type != SEC_CHAN_RODC)) {
 		struct interface *ifaces = NULL;
 
 		load_interface_list(state, service->task->lp_ctx, &ifaces);
diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c
index 70dbaa9..db5eb1d 100644
--- a/source4/winbind/wb_init_domain.c
+++ b/source4/winbind/wb_init_domain.c
@@ -369,24 +369,26 @@ static void init_domain_recv_queryinfo(struct tevent_req *subreq)
 	state->ctx->status = state->queryinfo.out.result;
 	if (!composite_is_ok(state->ctx)) return;
 
-	dominfo = &(*state->queryinfo.out.info)->account_domain;
-
-	if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
-		DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
-			  state->domain->info->name,
-			  dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
-			  dominfo->name.string));
-		composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
-		return;
-	}
-
-	if (!dom_sid_equal(state->domain->info->sid, dominfo->sid)) {
-		DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
-			  dom_sid_string(state, state->domain->info->sid),
-			  dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
-			  dom_sid_string(state, dominfo->sid)));
-		composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
-		return;
+	if (!dom_sid_equal(state->domain->info->sid, &global_sid_Builtin)) {
+		dominfo = &(*state->queryinfo.out.info)->account_domain;
+		
+		if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
+			DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
+				  state->domain->info->name,
+				  dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
+				  dominfo->name.string));
+			composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
+			return;
+		}
+		
+		if (!dom_sid_equal(state->domain->info->sid, dominfo->sid)) {
+			DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
+				  dom_sid_string(state, state->domain->info->sid),
+				  dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
+				  dom_sid_string(state, dominfo->sid)));
+			composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
+			return;
+		}
 	}
 
 	state->domain->samr_binding = init_domain_binding(state, &ndr_table_samr);
diff --git a/source4/winbind/wb_sid2domain.c b/source4/winbind/wb_sid2domain.c
index 637fe1d..172a6d0 100644
--- a/source4/winbind/wb_sid2domain.c
+++ b/source4/winbind/wb_sid2domain.c
@@ -98,6 +98,20 @@ static struct tevent_req *_wb_sid2domain_send(TALLOC_CTX *mem_ctx,
 		return req;
 	}
 
+	if (dom_sid_equal(&global_sid_Builtin, sid) ||
+	    dom_sid_in_domain(&global_sid_Builtin, sid)) {
+		ctx = wb_get_dom_info_send(state, service,
+					   "BUILTIN", NULL,
+					   &global_sid_Builtin);
+		if (tevent_req_nomem(ctx, req)) {
+			return tevent_req_post(req, ev);
+		}
+		ctx->async.fn = wb_sid2domain_recv_dom_info;
+		ctx->async.private_data = req;
+
+		return req;
+	}
+
 	ctx = wb_cmd_lookupsid_send(state, service, &state->sid);
 	if (tevent_req_nomem(ctx, req)) {
 		return tevent_req_post(req, ev);
-- 
1.7.11.7


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to