FW: Winbindd timeout on unreacheable domains

Fri Feb 20 11:36:01 GMT 2004

Hi Andrew,

	I get what you're saying that if we aren't even doing a ping then we shouldn't say we are
connected. However in testing I have found the behaviour of this patch to be very desireable.

If you start winbindd with an unreachable trusted domain, it comes up and users for that domain are not
listed by wbinfo. This is ok as far as I'm concerned, better that long timeouts and in practice I'd
prefer to sort the network issue in this situation.
If you then bring back connectivity to the trusted domain, users are listed by wbinfo (without
restarting winbindd). Again good.
If you then re-take away connectivity to the trusted domain, you still see users for that domain in
wbinfo but you get a "cli pipe: ... critical error ... timed out..." followed by "Failed to get ldap server info" errors from winbindd. Unless you have a reason why I should care about these errors and
winbindd doesn't panic (which it doesn't in my test) then this again is good.

Any comments?

	thanks Andy.

On Fri, 2004-02-20 at 02:01, Lin Li wrote:
> Lin Li wrote:
> 
> > In fact I have logged a bug (#704) for this. It's doing 
> > ads_try_connect(). My solution is to use ldap_init() instead of 
> > ldap_open() and set a small timeout using ldap_set_option(). Here is 
> > my patch (I'm using 3.0.0) and it works in my test.
> > -------------------------------------
> > +       struct timeval timeout;
> >
> >        if (!server || !*server) {
> >                return False;
> > @@ -58,11 +59,15 @@
> >        /* this copes with inet_ntoa brokenness */
> >        srv = strdup(server);
> >
> > -       ads->ld = ldap_open(srv, port);
> > +       ads->ld = ldap_init(srv, port);
> >        if (!ads->ld) {
> >                free(srv);
> >                return False;
> >        }
> > +
> > +       timeout.tv_sec = 15;
> > +       timeout.tv_usec = 0;
> > +       ldap_set_option(ads->ld, LDAP_OPT_NETWORK_TIMEOUT, &timeout);
> >        ads->ldap_port = port;
> >        ads->ldap_ip = *interpret_addr2(srv);
> >        free(srv);
> > -------------------------------------
> >
> > Thanks,
> > Lin
> >
> Sorry, the patch is for source/libads/ldap.c

Unfortunetly, there is a problem with that patch.

The issue is that making the connect() to the remote LDAP server is put
off until the first LDAP operation.  The current code paths assume that
if ldap_open() suceeds, then at least the remote sever is there...

So, we need to at least 'ping' the remote server in some way, before we
can say 'we connected'.  I would suggest this means calling
ads_server_info() inside ads_try_connect() and ads_try_connect_uri(). 
These functions should also return ADS_STATUS, and be correctly modified
to return something useful (that ads_find_dc() can use) when the remote
server just isn't there.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.