[PATCH] s3:winbind add timeouts to winbind cache
Christian M Ambach
christian.ambach at de.ibm.com
Fri Nov 5 04:23:07 MDT 2010
Hi list,
while I was testing master if newly trusted domains are correctly detected
while
winbindd is running, I found a few flaws that are caused by the current
implementation in winbind_cache.c
one testcase:
- join Samba to a domain with no trusts
- start winbind and do a wbinfo -n domain\user for a domain you are about
to
trust soon
- add the trust on the domain controller
- wait until rescan_trusted_domains has run
- run wbinfo -n domain\user again
Expected result: user can now be resolved
Actual result: user still cannot be resolved
Another scenario which was failing:
- start winbindd with no connection to the DC (e.g. with a bad resolv.conf)
- perform the wbinfo -n call
- correct /etc/resolv.conf
- perform the wbinfo -n call again
This is caused by the NDR cache that caches the negative result until
another
lookup operation is performed that would replace the cached entry in the
cache TDB.
The entry is still considered to be valid because the sequence number on
the DC
does not change in this case.
The changes I did to the winbind cache add a timeout to the cached entries
and
extends the expiration check to not only look at the domain sequence number
but
also at the timeout values.
I first wanted to move the records to the gencache, but there might be
sensitive information in them that needs to be kept in Winbind's private
TDB
that cannot be read by Samba processes running under user credentials.
Regards,
Christian
(See attached file: 0001-s3-winbind-add-timeouts-to-winbind-cache.patch)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-winbind-add-timeouts-to-winbind-cache.patch
Type: application/octet-stream
Size: 6671 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101105/8c08d3a7/attachment.obj>
More information about the samba-technical
mailing list