Winbind caching

Andreas Schneider asn at samba.org
Thu Apr 4 04:26:16 MDT 2013 

Hi Volker and others,

I have a bug report that we fail do some valid name lookups. This goes back to

require_membership_of = redhat

in pam_winbind.conf. As you can see a group without a domain is specified 
which results in a lookup of that group without a domain name.

[2013/04/04 12:08:52.940058, 10, pid=9331] 
winbindd/winbindd.c:617(process_request)
  process_request: Handling async request 9333:LOOKUPNAME
[2013/04/04 12:08:52.940186,  3, pid=9331] 
winbindd/winbindd_lookupname.c:69(winbindd_lookupname_send)
  lookupname +redhat
[2013/04/04 12:08:52.940307,  1, pid=9331] 
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          in: struct wbint_LookupName
              domain                   : *
                  domain                   : ''
              name                     : *
                  name                     : 'REDHAT'
              flags                    : 0x00000000 (0)
[2013/04/04 12:08:52.948321,  1, pid=9331] 
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       wbint_LookupName: struct wbint_LookupName
          out: struct wbint_LookupName
              type                     : *
                  type                     : SID_NAME_DOM_GRP (2)
              sid                      : *
                  sid                      : 
S-1-5-21-2175650508-4111995269-951467909-1106
              result                   : NT_STATUS_OK



We end up with the following mappings in the cache:

{
key(10) = "NS//REDHAT"
data(66) = "\00\00\00\00\88A\00\00#R\5CQ\00\00\00\00\02\00\00\00-
S-1-5-21-2175650508-4111995269-951467909-1106"
}

{
key(48) = "SN/S-1-5-21-2175650508-4111995269-951467909-1106"
data(28) = "\00\00\00\00\88A\00\00#R\5CQ\00\00\00\00\02\00\00\00\00\06redhat"
}

If you do an 'id' as the user now. It is not able to find the group name in 
the cache:

DISCWORLD+asn at samba:~> id
uid=100001104(DISCWORLD+asn) gid=100000513(DISCWORLD+domain users) 
groups=100000513(DISCWORLD+domain users),100001106,100001108(DISCWORLD+samba)


I've created a patch which looks up the domain name from the sid if 
domain_name is not set. So we will later find the correct entries when we try 
to lookup DISCWORLD\redhat.


Is this the right way to fix it?


	-- andreas

-- 
Andreas Schneider                   GPG-ID: F33E3FC6
Samba Team                             asn at samba.org
www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-BUG-XXXX-Cache-name-to-sid-sid-to-name-correctly.patch
Type: text/x-patch
Size: 2676 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130404/3879be12/attachment.bin>

More information about the samba-technical mailing list