[PATCHES] winbindd: use idmap cache in getpwuid and getgrgid

Tue Dec 27 19:03:43 UTC 2016

LGTM, pushing it as-is after I review the cache priming stuff, because
it is not degrading (we're still better off with some caching than no
caching). If someone wants is_domain_online() we can add it later.

Some comments below.

On 12/27/2016 12:29 PM, Volker Lendecke wrote:
> On Tue, Dec 27, 2016 at 10:44:15AM +0100, Volker Lendecke wrote:
>> Hi, Uri!
>>
>> On Sun, Dec 25, 2016 at 08:48:23PM +0200, Uri Simchoni wrote:
>>> The attached patch set makes sure that the winbindd getpwuid() and
>>> getgrgid() implementations use the idmap cache if available (this seems
>>> to be a 4.5.x regression due to the xids->sids cleanup).
>>
>> That might well be the case. I wonder if this could be done directly
>> in the xids2sids call without the wrappers.
>>
>> While there -- attached find two patches that also prime the cache in
>> the xids2sids calls, which was lost also.
> 
> What do you think about the attached patch?
> 
I'm fine with the approach of doing it within wb_xids2sids_send() - I
thought the reason it's not done that way was intentional, to save
another cache lookup in case we're being called by smbd. But this is
simpler.

> This deliberately does not do the is_domain_online() business, just
> because I don't fully understand the relevance here.
> 
What I find generally reasonable with the is_domain_online business, is
that things that have been cached continue to work while we cannot look
them up over the network. OTOH in this particular case, there's indeed
no 1:1 relationship between the thing that is tested (our domain) and
the entity that needs to be contacted (depends on the idmap backend -
could be any domain or no domain).

> Currently I am trying to fully understand all the online/offline
> implementation, that from my point of view is a bit clumsy. I am open
> for any hints how this is supposed to work and what corner cases we
> need to take cover with it. My current understanding is that
> online/offline is mainly for interactive workstation style offline
> logons. Is it relevant at all for the pure file server workload?
> 
> For file servers we can't cache credentials anyway, so there is no
> real point in trying to continue when the DC is not around beyond the
> caching we do anyway. What am I missing here?
> 
We can use the PAC to authenticate users when we're offline, but
compared to Windows servers, we have that extra leg of converting the
SIDs to xIDs. I work on an "offline operation" patch set based on the
PAC and algorithmic id-mapping, and from that POV I think I can fulfill
that just fine without the online business (no cache->go to
backend->algorithmic). The reason I put in my original patch was that
that's how it used to be.

> Volker
> 

Thanks,
Uri.