BUG 12127: winbindd issues on 4.3.11 stack.
hemanth.thummala at nutanix.com
Tue Aug 9 17:42:40 UTC 2016
Yes. We are not seeing any more ldap timeouts after changing the "client ldap sasl wrapping” to sign.
Thanks a lot Uri for helping out!
On 8/8/16, 11:41 PM, "samba-technical on behalf of Uri Simchoni" <samba-technical-bounces at lists.samba.org on behalf of uri at samba.org> wrote:
>On 08/08/2016 09:46 AM, Hemanth Thummala wrote:
>> Hello All,
>> We currently have 4.3.5 stack. Recently we have consumed all 4.3.11 changes(BAD LOCK and other security fixes) and started unit testing them. We have found that all authentication requests failing after long timeout(more than a minute). Also any command(like sudo, ls <share path>) that requires a UID lookup(by winbindd) also failing after waiting for few seconds.
>> I have created a bug(https://bugzilla.samba.org/show_bug.cgi?id=12127) for this issue and provided detailed logs and process stack. Since there have been quite a few security changes from 4.3.5, its becoming difficult to root cause the issue. At this point, I could see some relevance with the changes made to CVE-2016-2112 which has changes for strong security enforcements for LDAP connections.
>> I see that some one else also posted a similar issue in redhat forums without a solution: https://access.redhat.com/solutions/2290811
>> Any help in root causing this issue is much appreciated.
>For the list - the issue got resolved by resetting "client ldap sasl
>wrapping" from "plain" to its default of "sign". Still not clear what
>caused just the post-security-release code to fail, since the security
>release only changed the Samba LDAP server to require signing.
More information about the samba-technical