Reviewing b58e4f6b3d7329....

Karolin Seeger ks at sernet.de
Mon Jun 30 06:58:39 GMT 2008


Jerry,

On Sat, Jun 28, 2008 at 09:31:01AM -0400, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Karolin,
> 
> I'm not sure this is correct.
> 
>   commit b58e4f6b3d73294d8448c0dff4341183c52e5b7c
>   Author: Karolin Seeger <kseeger at samba.org>
>   Date:   Mon Jun 16 15:21:28 2008 +0200
> 
>     winbind cache: Don't create SN cache entries during name-to-sid queries.
> 
>     Clients can request name-to-sid queries for different combinations of
>     upper and lower case names. We don't want to create the reverse caching
>     entries for each combination used.
> 
>     This avoids inconsistent answers on sid-to-name queries.
> 
> Would you provide an exampole of what bug is it suposed to fix?
> Thanks.

The problem was that sid_to_name requests were returning inconsistent values.
During name_to_sid requests, a reverse caching entry was added to the
Winbindd cache. Name_to_sid requests can be made for different
combinations of lower case and upper case as it depends on the user/client. 
Following sid_to_name requests were taken out of the cache and returned the 
name in the same notation as the name was given in a sid_to_name request
before.

Example (without patch):

-----8<------------------snip--------------8<--------------
bando:~ # wbinfo -n EXAMPLE\\administrator
S-1-5-21-3786053481-691478466-3450209754-500 User (1)
bando:~ # tdbdump /var/lib/samba/winbindd_cache.tdb
{
key(17) = "TRUSTDOMS/EXAMPLE"
data(61) =
"\00\00\00\00\A7\07\00\00\01\00\00\00\05PEPPY\00)S-1-5-21-2080687722-1173791329-1542289999"
}
{
key(10) = "SN/S-1-5-2"
data(35) =
"\00\00\00\00\A7\07\00\00\05\00\00\00\0DNT-AUTORIT\C3\84T\08NETZWERK"
}
{
key(10) = "SN/S-1-1-0"
data(19) = "\00\00\00\00\A7\07\00\00\05\00\00\00\00\05Jeder"
}
{
key(24) = "NS/EXAMPLE/ADMINISTRATOR"
data(57) =
"\00\00\00\00\A7\07\00\00\01\00\00\00,S-1-5-21-3786053481-691478466-3450209754-500"
}
{
key(47) = "SN/S-1-5-21-3786053481-691478466-3450209754-500"
data(34) =
"\00\00\00\00\A7\07\00\00\01\00\00\00\07EXAMPLE\0Dadministrator"
}
{
key(15) = "SEQNUM/EXAMPLE\00"
data(8) = "\A7\07\00\00\E5~hH"
}
bando:~ # wbinfo -s S-1-5-21-3786053481-691478466-3450209754-500
EXAMPLE\administrator 1 
----->8------------------snap-------------->8--------------

'wbinfo -s' returns EXAMPLE\administrator although the real name is
EXAMPLE\Administrator.

The patch ensures that no reverse caching entries are created and Winbindd 
asks the DC for sid_to_name requests.

Please inform me as soon as possible if this patch should be removed
before we ship the final release.

Cheers,
Karolin

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080630/f2c323d9/attachment.bin


More information about the samba-technical mailing list