[PATCH] bug 11259 - get smbd to use winbindd to prime the netsamlogon and name2sid caches.

Uri Simchoni uri at samba.org
Wed Sep 28 18:01:15 UTC 2016


On 09/28/2016 08:36 PM, Jeremy Allison wrote:
> On Wed, Sep 28, 2016 at 09:21:35AM -0700, Jeremy Allison wrote:
>>
>> FYI - just confirmed this with Guenther - we
>> are already doing sequence queries in the parent
>> (not all _send()/_recv pairs are async-forwarded
>> to children).
>>
>> If you want to prevent this in this codepath then
>> it's possible be could add a name2sid cache entry
>> that doesn't check sequence numbers first and use
>> that if it comes from a trusted source (PAC). Does
>> that sound like a plan ?
> 
> So if you are worried the extra refresh_sequence_number()
> is too much of a burdon in your use case we can make
> the new code call a new function:
> 
> cache_name2sid_trusted() which would avoid the
> refresh_sequence_number() call and just call
> wcache_save_name_to_sid(). As it's coming directly
> from a valid krb5 ticket then we can trust it.
> 
> Does that help ?
> 
That would be great.

I haven't researched this fully and right now I have other duties to
attend to, but I see signs of fishiness with the sequence number refresh
from the parent process (I made two session setups 7 minutes apart, got
a new ldap connection opened for each one instead of reusing the
connection, with all the discovery enchilada). This could be some
consequence of my setup, or it could be a bug, which went undetected
because the sequence number from parent code path is not used often.

I'll be happier knowing that we don't introduce another blocking network
request in the parent.

Thanks,
Uri.



More information about the samba-technical mailing list