[patch] Ignore local system users in initgroups

Nick t31 at 2thebatcave.com
Wed Nov 18 11:41:13 MST 2009

For local users who definitely are not on the centralized directory,
winbind shouldn't try to lookup any group memberships.  The reason for
this is that winbind can hang for a while on a query causing issues
for core system services.

For example if NetworkManager is running and has a dispatcher script
which tries to run 'smbcontrol winbind offline', NetworkManager may
never get to actually fork the script since name lookups are hanging
for local system users (e.g. dbus, root).  So since winbind still
thinks it's online things will continue to hang for even longer.

To speed things up and make them more reliable, winbind should have
something like the nss_initgroups_ignoreusers option for nss_ldap.

I've attached a patch which is an attempt at adding a "winbind
initgroups ignoreusers" parameter.  I think this should be a
configuration parameter so that each admin can define what they think
is best.

One issue I have is that implementing this option in winbindd_group.c
still causes a hang when winbindd isn't initialized yet.  So it would
be best to be implemented before anything that tries to contact
winbindd, however from what I can tell anything at that level doesn't
have accessibility to the config file to actually read the option.
Therefore in this patch there are actually two items, implementing the
option in winbindd_group.c, and also a hardcoded skipping of "root" in
winbind_nss_linux.c (possibly this should be in a more general place,
but I couldn't find a better place nor a function definition for
_nss_winbind_initgroups_dyn under the other OS implementations).  The
second part is because most core stuff is running as root, and it
should be a safe bet that root isn't a member of any group on the
directory service, and even if it was then it wouldn't matter since
root is the superuser and would have access to everything regardless
of group membership.  However it would still be best to implement the
user skip checking based on the option alone (without hardcoding
"root") at a level before any attempt at calling winbindd is done.

I am trying to get winbind to work more reliably on roaming and am
willing to put in some dev time to get it done.  However if anyone can
help (even giving pointers about what would/wouldn't be accepted), it
would be greatly appreciated.

I've also added a bug report here:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.4.3-winbind-initgroup-ignore.patch
Type: text/x-patch
Size: 3682 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091118/ad3318bd/attachment.bin>

More information about the samba-technical mailing list