Winbindd using 100% of CPU. Any solution?

Richard Sharpe realrichardsharpe at gmail.com
Fri Jan 3 11:14:42 MST 2014 

On Thu, Dec 19, 2013 at 7:59 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Wed, Dec 18, 2013 at 10:57 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>> On Wed, Dec 18, 2013 at 10:40 AM, Richard Sharpe
>
> Some time yesterday the customer changed something so that the machine
> I was working with could only see three domains:
>
> 1. The one we were joined to, and
> 2. BUILTIN, and
> 3. The machine/local domain.
>
> Now the problem does not occur.
>
> Prior to that we could see 33 domains.
>
> We have another customer with 90+ domains who only sees the problem if
> they use MMC to modify share permissions.
>
> We are now trying to repro the problem in-house.
>
> Is there some way to prevent a joined member server from seeing all the domains?

Well, I am back on this. I started investigating this:

[2014/01/03 12:50:07.363167, 10]
winbindd/winbindd_cache.c:4561(wcache_tdc_add_domain)
  wcache_tdc_add_domain: Adding domain OIAA (), SID S-1-0-0, flags =
0x20, attributes =
0x1000000, type = 0x1

That is, why are we seeing that SID of S-1-0-0? So, I added a panic
and now I have a core file, and that is due to this code in
winbind_ads.c:

                /* add to the trusted domain cache */

                fstrcpy(d.name, trust->netbios_name);
                fstrcpy(d.alt_name, trust->dns_name);
                if (trust->sid) {
                        sid_copy(&d.sid, trust->sid);
                } else {
                        sid_copy(&d.sid, &global_sid_NULL);
                }

because the list of trusted domains we are getting contains lots of these:

$4 = {netbios_name = 0x8033593e0 "OIAA", dns_name = 0x0, trust_flags = 32,
  parent_index = 0, trust_type = NETR_TRUST_TYPE_DOWNLEVEL,
  trust_attributes = 16777216, sid = 0x0, guid = {time_low = 0, time_mid = 0,
    time_hi_and_version = 0, clock_seq = "\000", node = "\000\000\000\000\000"}}
(gdb) p trusts->array[1]
$5 = {netbios_name = 0x803359680 "yyyy", dns_name = 0x0, trust_flags = 32,
  parent_index = 0, trust_type = NETR_TRUST_TYPE_DOWNLEVEL,
  trust_attributes = 16777216, sid = 0x0, guid = {time_low = 0, time_mid = 0,
    time_hi_and_version = 0, clock_seq = "\000", node = "\000\000\000\000\000"}}
(gdb) p trusts->array[2]
$6 = {netbios_name = 0x8033bf310 "xxxxxxxx", dns_name = 0x0, trust_flags = 32,
  parent_index = 0, trust_type = NETR_TRUST_TYPE_DOWNLEVEL,
  trust_attributes = 16777216, sid = 0x0, guid = {time_low = 0, time_mid = 0,
    time_hi_and_version = 0, clock_seq = "\000", node = "\000\000\000\000\000"}}
(gdb) p trusts->array[3]

where we are not getting a SID or DNS name etc.

So, the corruption is not coming in at that point.

The next thing to look at is why those two domains are causing
problems. I am told that the customer is doing Exchange mailbox
migration.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list