Samba 3.0.32: GID leak in winbind caused by repeated
winbind_allocate_gid() call for BUILTIN\Administrators
creation in smbd
Volodymyr Khomenko
Volodymyr.Khomenko at exanet.com
Thu Nov 6 16:52:35 GMT 2008
Hi all,
We've entered strange flow for smbd/winbind which leads to GID pool's leak in winbind.
I investigated the issue when GID range is exhausted:
[2008/11/04 14:39:55, 1, pid=29731] nsswitch/idmap_tdb.c:idmap_tdb_allocate_id(470)
Fatal Error: GID range full!! (max: 310000)
In winbind.conf we've configured quite wide range for gid:
idmap gid = 210000-310000
But I see too frequent GID allocation in winbind log (log level 10):
# grep -B 1 'New GID' /usr/local/samba/var/log.winbindd-idmap
[2008/11/04 18:41:48, 10, pid=19178] nsswitch/idmap_tdb.c:idmap_tdb_allocate_id(489)
New GID = 219303
[2008/11/04 18:41:48, 10, pid=19178] nsswitch/idmap_tdb.c:idmap_tdb_allocate_id(489)
New GID = 219304
[2008/11/04 18:42:22, 10, pid=19178] nsswitch/idmap_tdb.c:idmap_tdb_allocate_id(489)
New GID = 219305
[2008/11/04 18:42:22, 10, pid=19178] nsswitch/idmap_tdb.c:idmap_tdb_allocate_id(489)
New GID = 219306
Seems like I've found the place of such GID leak in smbd: in 'create_local_nt_token' routine
(on new user login) we are trying to add builtin groups like 'BUILTIN\Administrators' and 'BUILTIN\Users':
if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) {
...
status = create_builtin_administrators( );
...
}
>From one side, sid_to_gid() fails to find Builtin_Administrators group in winbind, so it tries to create it.
Thus create_builtin_administrators()->pdb_create_builtin_alias()->winbind_allocate_gid() allocates new GID.
>From other side, winbind don't suppose to create mappings for own domain - see idmap_can_map()
(Builtin_Administrators = S-1-5-32-544 belongs to it), so sid_to_gid will always fail:
[2008/11/05 16:25:14, 10, pid=12480] nsswitch/winbindd_dual.c:child_process_request(478)
process_request: request fn DUAL_SID2GID
[2008/11/05 16:25:14, 3, pid=12480] nsswitch/winbindd_async.c:winbindd_dual_sid2gid(558)
[11666]: sid to gid S-1-5-32-544
[2008/11/05 16:25:14, 10, pid=12480] nsswitch/idmap_util.c:idmap_sid_to_gid(145)
idmap_sid_to_gid: sid = [S-1-5-32-544]
[2008/11/05 16:25:14, 10, pid=12480] nsswitch/idmap_cache.c:idmap_cache_map_sid(401)
Cache entry with key = IDMAP/SID/S-1-5-32-544 couldn't be found
[2008/11/05 16:25:14, 10, pid=12480] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1187)
Query backends to map sids->ids
[2008/11/05 16:25:14, 10, pid=12480] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1212)
SID S-1-5-32-544 is being handled by MY_DOMAIN
[2008/11/05 16:25:14, 10, pid=12480] nsswitch/idmap.c:idmap_backends_sids_to_unixids(1233)
Query ids from domain MY_DOMAIN
[2008/11/05 16:25:14, 10, pid=12480] passdb/pdb_interface.c:pdb_default_sid_to_id(1316)
Could not find map for sid S-1-5-32-544
[2008/11/05 16:25:14, 10, pid=12480] nsswitch/idmap.c:idmap_can_map(961)
We are not supposed to create mappings for our own domains (local, builtin, specials)
[2008/11/05 16:25:14, 10, pid=12480] nsswitch/idmap_cache.c:idmap_cache_set_negative_sid(258)
Adding cache entry with key = IDMAP/SID/S-1-5-32-544; value = 1225895234/IDMAP/NEGATIVE and timeout = Wed Nov 5 16:27:14 2008 (120 seconds ahead)
[2008/11/05 16:25:14, 10, pid=12480] nsswitch/idmap_util.c:idmap_sid_to_gid(164)
sid [S-1-5-32-544] not mapped to an gid [2,2]
[2008/11/05 16:25:14, 10, pid=12480] nsswitch/winbindd_async.c:winbindd_dual_sid2gid(570)
winbindd_dual_sid2gid: 0xc0000073 - S-1-5-32-544 - 0
So, this flow runs again and again, and on each login we lose few GIDs from the range.
Can anybody please advise what's wrong with samba and cause such behaviour?
Thanks for help.
More information about the samba-technical
mailing list