tevent_abort_nesting crash in idmap_ad

Jeremy Allison jra at samba.org
Sat Jun 25 15:16:57 UTC 2016

On Sat, Jun 25, 2016 at 08:37:40AM +0200, Volker Lendecke wrote:
> It's one thing to use the sync wrappers. We have a *lot* of code doing
> that. It's another thing to offer an async API that has no chance to
> actually deliver what it promises to do -- asynchrony.

Oh I agree. I don't think offering such an async api
was a great idea when under the covers it can never
be so. But it's easily avoided here, so let's just
do that. No large code reverts needed.

> I've talked to Love many years ago about async GSSAPI and he said he
> would need it for Apple.  Do you want us to wait for that to go into
> heimdal and then through the standards bodies into MIT too? We're
> talking a decade *if* it will ever happen given the current focus on
> releases heimdal has right now. Also, putting the kinit into a
> helper thread will reveal so many bugs in libkrb5 that people will
> run away and the "winbind rpc only" setting will become very important
> again to prevent any krb5 use, like it was when it was put in
> initially.

The act of getting krb5 creds under both gssapi and gensec
is sync, and will (probably) always remain sync. Not much
we can do about it - just be aware of the issue and avoid
it in future code.

> The revert is just as simple. It also fixes the crash it just as
> nicely.

Much bigger code change I'm afraid. Smaller changes usually win :-).

> tldap was already rejected once in the past by the AD developers because
> in the AD world linking everything together using direct ldb access is
> the technically superior solution.  I should have learned my lesson
> back then that tldap is just not the direction the Samba project is
> heading. So it needs to leave, now that we have found another road block
> that is not practical to remove.

That's not a very helpful attitude - don't rehash old
wounds, it doesn't really help move things forward.

tldap is in the code, works really well as a
significant async improvement for all general ldap calls,
- just not bind. There's no need to throw the baby out
with the bathwater. I'm pretty sure Ralph is also in
favour of keeping tldap (although I don't want to speak
for him).

Let's have a phone call about this. I can call over
the weekend or on morning Monday if you're busy with the
family. Let me know !


More information about the samba-technical mailing list