[RFC] handle id-map cache pollution by "unix users" SIDs

Uri Simchoni uri at samba.org
Sun Apr 9 11:55:57 UTC 2017


Recently I've encountered a case where some unix uids that fall in the
range of the primary domain got mapped to a unix sid (S-1-22-1-xxx). I'm
not sure yet how could this happen, it must have been a transient error.
But this mapping created a long-lasting cached entry.

So regardless of how it happened, there should not be such a long
lasting cache entry IMHO.

Possible solutions:
1. Cache unix sids for a shorter time, because usually they represent
incomplete or incorrect configuration - that's simplest, see attached patch.
2. In the legacy uid->sid, first verify the uid is not in the range of a
configured domain, and do the caching only if not in any known
3. Others?

Comments welcome.

-------------- next part --------------
From d9ae60d52185bf5d03be52aac7b372c0f91981b2 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri at samba.org>
Date: Sun, 9 Apr 2017 14:45:04 +0300
Subject: [PATCH] idmap_cache: cache unix users/groups entries as negative

"Unix Users/foo" SIDs are mapped from uids as a fallback,
usually resulting from an incorrect or incomplete
configuration. Another case where they happen is some
transient error in the id-mapping mechanism. In both cases
we'd want those cache entries to be much shorter-lived than
regular entries.

Signed-off-by: Uri Simchoni <uri at samba.org>
 source3/lib/idmap_cache.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/source3/lib/idmap_cache.c b/source3/lib/idmap_cache.c
index 1e8a1eb..9a88f5e 100644
--- a/source3/lib/idmap_cache.c
+++ b/source3/lib/idmap_cache.c
@@ -318,8 +318,11 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i
 			/* negative xid mapping */
 			fstrcpy(value, "-");
 			timeout = lp_idmap_negative_cache_time();
-		}
-		else {
+		} else if (sid_check_is_in_unix_users(sid) ||
+			   sid_check_is_in_unix_groups(sid)) {
+			sid_to_fstring(value, sid);
+			timeout = lp_idmap_negative_cache_time();
+		} else {
 			sid_to_fstring(value, sid);
 			timeout = lp_idmap_cache_time();

More information about the samba-technical mailing list