[PATCH] LOOKUP_NAME_EXPLICIT to avoid lockups between winbindd
idra at samba.org
Fri May 25 18:31:09 GMT 2007
On Fri, 2007-05-25 at 13:17 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Here's the problem I hit:
> getgrnam("foo") -> nscd -> NSS -> winbindd ->
> winbindd_passdb.c:nam_to_sid() -> lookup_global_sam_name() ->
> getgrnam("foo") -> nscd -> ....
> This is in the SAMBA_3_0 specifically but in theory could happen
> SAMBA_3_0_25 (or 26) for an unknown group.
> The attached patch passes down enough state for the
> name_to_sid() call to be able to determine the originating
> winbindd cmd that came into the parent. So we can avoid
> making more NSS calls if the original call came in trough NSS
> so we don't deadlock ? But you should still service
> lookupname() calls which are needed for example when
> doing the token access checks for a "valid groups" from
> I've got this in testing now. The problem has shown up with the
> DsProvider on OS X and with nscd on SOlaris and Linux.
Why our nss_winbindd loop protection does not kick in in this case?
Do we explicitly disable it somewhere?
Samba Team GPL Compliance Officer
email: idra at samba.org
More information about the samba-technical