winbind retries excessively for illegal id allocation

Andrew Bartlett abartlet at
Fri May 7 23:56:01 GMT 2004

On Sat, 2004-05-08 at 00:33, kawasa_r at wrote:
> This happens when idmap backend is set to LDAP. When getpwent()/getgrent() 
> functions try to allocate an id that exceed the specified range
> (the range is specified "winbind uid/winbind gid" in the configuration file), 
> "ldap_allocate_id: Cannot allocate uid above XXXX!" is massively
> appeared in the log file of winbind daemon.
> This happens because the winbind daemon repeatedly retry the 
> out-of-ranged-allocation and fail.(Is there any reason for this?)
> The following patch abolished the retry management except for 
> duplicated registrations to the LDAP server. In the exceptional
> case, winbind daemon retries once.
> Index: samba-302/source/sam/idmap_ldap.c
> ===================================================================
> RCS file: /cvs/samba-302/source/sam/idmap_ldap.c,v
> retrieving revision 1.1
> retrieving revision 1.3
> diff -u -r1.1 -r1.3
> --- samba-302/source/sam/idmap_ldap.c	16 Feb 2004 01:13:37 -0000	1.1
> +++ samba-302/source/sam/idmap_ldap.c	30 Mar 2004 07:28:00 -0000	1.3
> @@ -42,7 +42,9 @@
>  static struct ldap_idmap_state ldap_state;
>  /* number tries while allocating new id */
> -#define LDAP_MAX_ALLOC_ID 128
> +#define LDAP_MAX_ALLOC_ID 2
> +BOOL ldap_allocate_id_error = False;
> +BOOL ldap_alloc_collision = False;

I like the idea (only loop massively if the atomic increment failed - in
case we are racing somebody), but I would like to avoid adding more
global variables to the code.   However, we have the ldap_idmap_state,
and you can certainly add this kind of thing.

We should indicate the error state by error returns, or extra 'status'
parameters on the function calls, rather than global variables.  We may
not even be using the LDAP backend.

Finally - a *big* thank-you for all the patches.  While I might disagree
on some minor technical details, these are a very good, well thought-out
series of patches.  I haven't seen such a stream of solid fixes from a
single source in a long time.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list