[Samba] Winbind deadlock with AD and nss

[Ed Plese]

Hi,

I'm testing out Samba 3.0.25c with Active Directory using the rid
idmap backend.  In certain cases there seems to be a repeatable
deadlock in winbind.

I have a local user "ed" created with uid 100 and no user exists with
uid 1001.  Here's the behavior I'm seeing with wbinfo:

# time wbinfo -U 100
S-1-22-1-100

real    0m0.047s
user    0m0.014s
sys     0m0.007s

# time wbinfo -U 1001
S-1-22-1-1001

real    5m35.097s
user    0m0.015s
sys     0m0.011s

The first command behaves as expected but the expected result of the
second command is "Could not convert uid 1001 to sid" with an
execution time of much less than 1 second as is seen with Samba 3.0.24
and lower.

This is running on Solaris 10 (x86) and compiled with Sun Studio 11
using the OpenLDAP and MIT Kerberos 5 libraries from Blastwave.  The
exact same configuration works fine with 3.0.24 with the only
difference being the idmap configuration changes between 3.0.24 and
3.0.25.

In /etc/nsswitch.conf I have:
passwd:     files winbind
group:      files winbind

During the query to winbindd, uid 1001 is not within the range used
for the MYAD rid backend which causes the lookup to then be attempted
by passdb.  passdb in turn calls getpwuid which ends up querying
winbind through nss_winbind which is what leads to the deadlock.

When I remove winbind from nsswitch.conf the 5 minute delay is gone
but wbinfo returns "S-1-22-1-1001" which is different from what
previous Samba versions returned.

Here's the contents smb.conf:
[global]
  workgroup = MYAD
  realm = MYAD.ORG
  security = ads
  encrypt passwords = yes
  smb passwd file = /etc/samba/private/smbpasswd
  winbind separator = +
  winbind use default domain = yes
  winbind nested groups = no
  obey pam restrictions = yes
  winbind enum users = yes
  winbind enum groups = yes
  allow trusted domains = no
  idmap uid = 10000-100000000
  idmap gid = 10000-100000000
  idmap domains = MYAD
  idmap config MYAD: default = yes
  idmap config MYAD: backend = rid
  idmap config MYAD: range = 10000-100000000
  idmap config MYAD: readonly = yes
  name resolve order = host
  dns proxy = no

In Samba versions prior to 3.0.25 the idmap options in smb.conf were:
   idmap uid = 10000-100000000
   idmap gid = 10000-100000000
   idmap backend = idmap_rid:MYAD=10000-100000000

Is there something wrong with my new idmap configuration or is this a
bug?  3.0.25 implicitly adds the passdb backend which I don't think
older versions did.  Disabling this might fix the problem but is there
any way to do that?  Any other ideas on things to try?

Thanks,

Ed Plese