Using source3 RPC servers as daemons causes deadlock with winbindd!
abartlet at samba.org
Wed Apr 30 22:04:30 MDT 2014
On Wed, 2014-04-30 at 17:37 +0200, Andreas Schneider wrote:
> On Wednesday 30 April 2014 11:55:40 Andrew Bartlett wrote:
> > The attached patches finally make the source3 winbindd code connect to
> > the LSA and SAMR servers over ncalrpc rather than directly linking the
> > shared library.
> > The problem is, in make test s3dc is set to use:
> > rpc_server:epmapper = external
> > rpc_server:spoolss = external
> > rpc_server:lsarpc = external
> > rpc_server:samr = external
> > rpc_server:netlogon = external
> > rpc_server:register_embedded_np = yes
> > rpc_daemon:epmd = fork
> > rpc_daemon:spoolssd = fork
> > rpc_daemon:lsasd = fork
> > The issue is, when we connect to the RPC server, we lock up due to a
> > recursive call to winbindd (otherwise prevented because of the
> > winbind_off() call).
> > It can be reproduced with:
> > make test TESTS=samba3.blackbox.smbclient_auth.plain
> > GDB backtraces for smbd and winbindd are attached.
> > It appears to be locking up looking via LSA lookupnames and an NSS call
> > for unix group\nogroup
> > Do you think it is reasonable to expect the source3 LSA and SAMR servers
> > to be able to service winbindd when not loaded as a shared library, or
> > should we instead put an exception in for this (only use the pipes when
> > in AD DC mode).
> > Your thoughts and comments would be most valued. As mentioned above,
> > the patch used the to reproduce this is also attached.
> I'll leave today and will back on monday. Then I can look into this.
> Maybe Simo has time ...
My best guess is that winbindd is asking it's 'DC' connection about all
unknown domains, rather than just a whitelist. (This makes sense when
we are a member server, as the DC can answer for other domains, but is
pointless on the DC itself).
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical