[PATCH] bug 11259 - get smbd to use winbindd to prime the netsamlogon and name2sid caches.
Jeremy Allison
jra at samba.org
Wed Sep 28 16:21:35 UTC 2016
On Wed, Sep 28, 2016 at 09:04:44AM -0700, Jeremy Allison wrote:
> On Wed, Sep 28, 2016 at 07:23:06AM +0300, Uri Simchoni wrote:
> > On 09/28/2016 05:32 AM, Jeremy Allison wrote:
> > > Fix for bug:
> > >
> > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259
> > >
> > > Cheers,
> > >
> > > Jeremy.
> > >
> > I doubt that [1/2] goes in the right direction, because the winbindd
> > cache priming sometimes requires an ldap query (to check the USN of the
> > domain), and is doing it from the parent winbindd process.
>
> It was already doing the netsamlogon cache,
> this is just adding the name2sid cache. This
> is a smaller change to get to the same codepath
> (name2sid_cache) that you were already testing
> with. It's also only done to the primary domain
> that the parent is already contacting, so I
> don't think this is any worse than what is already
> there.
FYI - just confirmed this with Guenther - we
are already doing sequence queries in the parent
(not all _send()/_recv pairs are async-forwarded
to children).
If you want to prevent this in this codepath then
it's possible be could add a name2sid cache entry
that doesn't check sequence numbers first and use
that if it comes from a trusted source (PAC). Does
that sound like a plan ?
More information about the samba-technical
mailing list