[PATCH] s3:winbind add timeouts to winbind cache

Christian M Ambach christian.ambach at de.ibm.com
Fri Nov 5 04:23:07 MDT 2010

Hi list,

while I was testing master if newly trusted domains are correctly detected
winbindd is running, I found a few flaws that are caused by the current
implementation in winbind_cache.c

one testcase:
- join Samba to a domain with no trusts
- start winbind and do a wbinfo -n domain\user for a domain you are about
  trust soon
- add the trust on the domain controller
- wait until rescan_trusted_domains has run
- run wbinfo -n domain\user again

Expected result: user can now be resolved
Actual result: user still cannot be resolved

Another scenario which was failing:
- start winbindd with no connection to the DC (e.g. with a bad resolv.conf)
- perform the wbinfo -n call
- correct /etc/resolv.conf
- perform the wbinfo -n call again

This is caused by the NDR cache that caches the negative result until
lookup operation is performed that would replace the cached entry in the
cache TDB.
The entry is still considered to be valid because the sequence number on
the DC
does not change in this case.

The changes I did to the winbind cache add a timeout to the cached entries
extends the expiration check to not only look at the domain sequence number
also at the timeout values.

I first wanted to move the records to the gencache, but there might be
sensitive information in them that needs to be kept in Winbind's private
that cannot be read by Samba processes running under user credentials.


(See attached file: 0001-s3-winbind-add-timeouts-to-winbind-cache.patch)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-winbind-add-timeouts-to-winbind-cache.patch
Type: application/octet-stream
Size: 6671 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101105/8c08d3a7/attachment.obj>

More information about the samba-technical mailing list