Winbindd IDMAP SID-to-UNIX-IDs problem

Burgess, Adam adam.burgess at hp.com
Wed Sep 11 17:39:03 CEST 2013


Hi Michael,

The problem is we are using the samba build that comes with Solaris 10 at present - for support reasons (especially when I am not around to troubleshoot), and I am not sure what the Oracle plans are regarding Samba version.  Given the ease of the fix here (at least how it look to me) and the importance of it (without it group based access is kind of intermittently broken) is there any chance this could be fixed in 3.6.x?  

We use idmap_ldap but the ldap service is a local anonymous bind LDAP one that simply queries Quest Authentication Services caches (which in turn get their data from AD).  This part does work well, implementing uidNumber, gidNumber and sambaSID (the one in question here) based searches.  

We also split our smbd smb.conf's from our winbindd/general smb.conf (to give discrete smbd's and state files per IP address) so it might be confusing to give each smb.conf.  Below is the testparm output for the winbindd smb.conf (this is also included in the others). 

testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
[global]
        workgroup = EMEA-CUST
        realm = EMEA.CUST.NET
        security = ADS
        server schannel = Yes
        obey pam restrictions = Yes
        private dir = /var/samba/private
        ntlm auth = No
        client NTLMv2 auth = No
        dedicated keytab file = /etc/opt/quest/vas/host.keytab
        kerberos method = dedicated keytab
        max log size = 10000
        debug pid = Yes
        smb ports = 445
        min protocol = NT1
        disable netbios = Yes
        max xmit = 65536
        name resolve order = host
        unix extensions = No
        server signing = auto
        deadtime = 15
        machine password timeout = 0
        domain master = No
        ldap ssl = no
        ldap timeout = 10
        state directory = /var/samba/state
        cache directory = /var/samba/cache
        pid directory = /var/samba/pids
        idmap cache time = 36000
        idmap negative cache time = 2147483647
        winbind cache time = 3600
        winbind nested groups = No
        winbind expand groups = 0
        create krb5 conf = No
        winbind max domain connections = 3
        idmap config * : read only = yes
        idmap config * : range = 1000-2147483647
        idmap config * : ldap_url = ldap://localhost/
        idmap config * : backend = ldap
        read only = No
        acl map full control = No
        create mask = 0600
        directory mask = 0700
        map archive = No



-----Original Message-----
From: Michael Adam [mailto:obnox at samba.org] 
Sent: 11 September 2013 16:06
To: Burgess, Adam
Cc: samba-technical at lists.samba.org
Subject: Re: Winbindd IDMAP SID-to-UNIX-IDs problem

Hi Adam,

right, this might be the related to the inconsistency issue recorded in bug
#9446 : https://bugzilla.samba.org/show_bug.cgi?id=9446

This was fixed by a larger rewrite.

There also were a few uid vs gid cut'n'paste errors in cache usage in the past, but these should be fixed in latest 3.6.

Could you please share your smb.conf?

If I am guessing right, you use the rid backend (or autorid).
In that case, could I possibly wake your interest in upgrading to 4.0 now that 4.1 is almost there and 3.6 is going into a very shallow bugfix mode soon?

Cheers - Michael

On 2013-09-11 at 13:48 +0000, Burgess, Adam wrote:
> Update: 3.6.18 has the same code issue. 4.x seems to have SID2XID rewrite so perhaps not an issue there?
> 
> Adam
> 
> 
> From: Burgess, Adam
> Sent: 11 September 2013 14:23
> To: 'samba-technical at lists.samba.org'
> Subject: RE: Winbindd IDMAP SID-to-UNIX-IDs problem
> 
> Anyone?
> 
> I think the problem would be solved by a small one line condition change as below.  This change I think would prevent a negative cached uid value from being returned when gid entry is not cached.  It may be worth doing the same the other way around too (negative gid when uid not cached) but I suspect the function is never used for such a need, so this might add unnecessary SID2UID lookups.
> 
> File : source3/winbindd/winbindd_sids_to_xids.c:
> 
> 
> Current Function:
> 
> static bool winbindd_sids_to_xids_in_cache(struct dom_sid *sid,
>                                            struct id_map *map)
> 
> Bad block logic:
> 
>         if (uid_negative) {
>                 map->sid = sid;
>                 map->xid.id = uid; /* this is (uid_t)-1 */
>                 map->xid.type = ID_TYPE_UID;
>                 map->status = ID_MAPPED;
>                 return true;
>         }
> 
> 
> Should be:
> 
>         if (uid_negative && !gid_cached) {
>                 map->sid = sid;
>                 map->xid.id = uid; /* this is (uid_t)-1 */
>                 map->xid.type = ID_TYPE_UID;
>                 map->status = ID_MAPPED;
>                 return true;
>         }
> 
> 
> However, I notice the idmap caching code was re-written when I look at current source tree - which version was this changed and would it resolve this issue?
> 
> Adam
> 
> 
> From: Burgess, Adam
> Sent: 06 September 2013 15:37
> To: 'samba-technical at lists.samba.org'
> Subject: Winbindd IDMAP SID-to-UNIX-IDs problem
> 
> IDMAP cache somehow ends up with an unmapped SID2UID entry (i.e value = -1) and the SID2GID entry expires.  At this stage winbindd returns unmapped for a SID-to-UNIX-IDs request.  This results in smbd giving incorrect group memberships and incorrect resource access, until the SID2UID entry expires. This is surely a bug?
> 
> Samba version is 3.6.6 as bundled with our current Solaris 10 patch revision (the platform).  Using only Kerberos PAC SIDs for membership and basic LDAP based IDMAP backend.
> 
> Reproduction steps:
> 
> 
> 1.       Pick a valid UNIX GID that should be mapped to a SID
> 
> 2.       Get SID for this GID (e.g. wbinfo -G <GID>)
> 
> 3.       Delete or set low expiry value for SID2GID entry for this SID (e.g. net cache del IDMAP/SID2GID/<SID>)
> 
> 4.       Now request SID2UID lookup for this SID, which should be unmapped (e.g. wbinfo -S <SID>)
> 
> 5.       Now do SID-to-UNIX-IDs lookup to mimic smbd IDMAP lookup of Kerberos PAC SIDs (e.g. wbinfo --sids-to-unix-ids=<SID>)
> 
> 
> 
> The result is that the SID is unmapped.
> 
> 
> 
> Winbindd IDMAP will not consider the state of having an unmapped SID2UID and an expired or non-existent SID2GID as reason to query IDMAP backend for a SID2GID.
> 
> 
> 
> In our environment this is causing considerable problems as we have a maximum setting for IDMAP negative entries in order to prevent them expiring at all (this is required because we have user in a large number of AD groups i.e. >400) and only a few required for UNIX (<= Solaris limit of 16).  When negative entries expire connections take a very long time as a result of the numerous negative IDMAP queries.  This means that we are more likely to hit the problem than with the default cache time values.
> 
> 
> 
>         idmap cache time = 36000
> 
>         idmap negative cache time = 2147483647
> 
> 
> 
> It is not clear which smbd function might be causing the SID2UID lookup (for group SID value) in the first place but then that's seem to me to be not the crucial issue as it may just happen via a wbinfo invocation as above directly anyway.
> 
> 
> 
> Does anyone know if this is a bug and if so if it has been addressed in versions beyond 3.6.6 (I have tested very quickly with 3.6.12 too but it seems to me no different)?
> 
> 
> 
> Thanks,
> 
> 
> 
> Adam
> 


More information about the samba-technical mailing list