[PATCHES] authenticating users during short disconnects from AD

Volker Lendecke vl at samba.org
Wed Dec 28 15:00:27 UTC 2016


On Wed, Dec 28, 2016 at 02:54:38PM +0200, Uri Simchoni wrote:
> I just hit that race myself (my QA did - told them to wait a little
> longer for winbindd to initialize before they start harassing it)...
> 
> Just to make sure we're on the same page:
> 
> #1 - if the special code is returned, we invoke, say,
> wbint_IDMapSetDomainSid and retry xid2sid.

The child might try to get the sid from gencache, which was filled in
netsamlogon_cache_store. If that fails, it returns the error code. The
parent might also try, but the parent knowing the name can do a
lookupnames call on just the domain name. This is a network call, but
it will be only once per domain and can be overridden with the
samlogon cache.

> #2 - we optimistically try sid2xid with type unspecified, The question
> is what to do if that fails - resolve the SIDs only for that call or for
> all later calls? Making a mental note that this backend needs sid lookup
> before mapping is good for backends which require this by their nature,
> such as rfc2307 - avoid the double lookup. OTOH some backends only need
> the SID type for allocation of new SIDs, so avoiding the "mental note"
> might result in better offline operation with those backends.

The sid2xid call in the parent could maintain a list of domain sids
that require the lookup. I would expect this to be a per-domain thing.
So SID S-1-5-21-1-2-3-513 comes in, idmap backend fails, parent does
the lookupsids call, retries with "hey, this is ID_TYPE_GID". Parent
also remembers that S-1-5-21-1-2-3 requires the type, and when
S-1-5-21-1-2-3-514 comes along it directly does the lookupsids call.
When S-1-5-21-2-3-4-513 comes in, the game starts fresh for
S-1-5-21-2-3-4.

Am I missing something?

Volker



More information about the samba-technical mailing list