Winbindd using 100% of CPU. Any solution?

Sat Jan 4 12:37:35 MST 2014

On Sat, Jan 4, 2014 at 11:04 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
>>
>> This seems to be the relevant info:
>>
>> in log.wb-EXCHANGE I find this:
>>
>> [2014/01/03 19:42:36.705779, 10]
>> winbindd/winbindd_cache.c:4561(wcache_tdc_add_domain)
>>   wcache_tdc_add_domain: Adding domain XCHANGE (xchange.some.dom), SID
>> S-1-5-21-78225239
>> 9-1160315966-1364796038, flags = 0x4, attributes = 0x0, type = 0x0
>>
>> and in the winbindd.log I find this:
>>
>> [2014/01/03 19:42:36.139768, 10]
>> winbindd/winbindd_cache.c:4561(wcache_tdc_add_domain)
>>   wcache_tdc_add_domain: Adding domain EXCHANGE (xchange.some.dom),
>> SID S-1-5-21-7822523
>> 99-1160315966-1364796038, flags = 0x0, attributes = 0x0, type = 0x0
>>
>> The SIDs are the same. The domain XCHANGE seems to be
>>
>> #define NETR_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN ( 0x00000004 )
>>
>> or maybe:
>>
>> #define NETR_TRUST_FLAG_TREEROOT ( 0x00000004 )
>>
>> So, I wonder if we should process it at all?
>
> So many red herrings.
>
> Here is the problem in my case.
>
> For some reason, in this customer's case, they have a domain called
> EXCHANGE and one called XCHANGE, but both seem to have the same DNS
> name (xchange.some.dom). One of them seems permanently offline as
> well, but that does not matter here.
>
> When we get the list of trusted domains, some times, we already have
> one of them, EXCHANGE, and we receive an entry for XCHANGE (I think it
> happens in that order.) We search for the domain in
> rescan_forest_trusts, but the search routine doesn't find it. However,
> add_trusted_domain does find the existing one because it also compares
> the alt_name (dns_name passed in) and returns the other entry. We then
> call setup_domain_child on that domain, which calls setup_child.
>
> In setup_child we do:
>
>         child->sock = -1;
>         child->domain = domain;
>
> which then causes us to call fork_domain_child in
> wb_child_request_trigger and bang, we insert the same entry again and
> corrupt the list.
>
> I am going to prevent the call to setup_domain_child if the name
> passed in does not match the name we found to see if I can prevent
> this crash.

The following fugly patch seems to fix the problem. It used to happen
reliably at this customer within 5-6 minutes. Hasn't happened now in
15 minutes. However, still watching:

samba-3.6.12/source3/winbindd/winbindd_util.c
@@ -498,12 +500,19 @@
                                                        dom_list[i].dns_name,
                                                        &cache_methods,
                                                        &dom_list[i].sid );
-                               if (d != NULL) {
+                               /* Only add it if it has the correct name */
+                               if (d != NULL && (dom_list[i].domain_name[0] &&
+                                               !strcmp(dom_list[i].domain_name,
+                                                       d->name))) {
                                        setup_domain_child(d);
                                }
                        }

-                       if (d == NULL) {
+                       if (d == NULL || (dom_list[i].domain_name[0] &&
+                                       strcmp(dom_list[i].domain_name,
+                                       d->name))) {
+                               DEBUG(0, ("skipping duplicate/bad domain %s\n",
+                                       d->name));
                                continue;
                        }



-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)
