[Samba] Possible problem w/ 'idmap restore' under 3.0.25rc3 (the sequel)

Don Meyer dlmeyer at uiuc.edu
Thu May 10 06:54:38 GMT 2007 

At 04:40 PM 5/9/2007, simo wrote:
>On Fri, 2007-05-04 at 19:14 -0500, Don Meyer wrote:
> > At 06:00 PM 5/4/2007, simo wrote:
> > >Sorry for the problem, this slipped through during recent patches to fix
> > >the sid checking layer violation and the idmap offline code.
> >
> > No problem.
> >
> > I may have another for you, however.   This patch enables me to
> > successfully restore when using a tdb backend.  However, when using
> > idmap_ldap, it seems that winbind is opening a connection to the ldap
> > server and not closing it for many updates/queries.
> >
> > When I try 'net idmap restore' when using idmap_ldap, the command
> > will plug away until the ldap server starts complaining "accept(8)
> > failed errno=24 (Too many open files)".   netstat -aln shows around
> > 1000 open connections from winbind on another system. (The one 
> with 3.0.25rc3+)
>
>Found the problem, see patch for revision 22771.
>Another one-liner :/
>
>Thanks again for testing rc3 out.


Simo, you are going to think I'm picking on you, but I think we may 
have yet another problem...

The 22771 patch does fix winbindd's abuse of the ldap server -- when 
I start winbind, it opens two sessions to the ldap server.  When I 
subsequently try the 'net idmap restore' command to restore several 
thousand SID-UID/GID mappings,  all the transactions flow one of 
those TCP sessions.  However, the command throws a huge list of 
errors (thousands) that we've seen before IIRC, and we thought you 
had fixed with patch 22677:

-------------------
Could not set mapping of UID 10392 to sid 
S-1-5-21-893289765-2623729106-2343379446-1290
Could not set mapping of UID 10107 to sid 
S-1-5-21-893289765-2623729106-2343379446-1120
Could not set mapping of UID 15937 to sid 
S-1-5-21-893289765-2623729106-2343379446-3005
Could not set mapping of UID 10745 to sid 
S-1-5-21-893289765-2623729106-2343379446-2134
Could not set mapping of UID 10476 to sid 
S-1-5-21-893289765-2623729106-2343379446-1311
Could not set mapping of UID 17143 to sid 
S-1-5-21-893289765-2623729106-2343379446-1899
Could not set mapping of UID 15891 to sid 
S-1-5-21-893289765-2623729106-2343379446-1880
Could not set mapping of UID 10109 to sid 
S-1-5-21-893289765-2623729106-2343379446-1131
Could not set mapping of UID 15912 to sid 
S-1-5-21-893289765-2623729106-2343379446-1853
Could not set mapping of UID 10900 to sid 
S-1-5-21-893289765-2623729106-2343379446-1417
Could not set mapping of UID 10708 to sid 
S-1-5-21-893289765-2623729106-2343379446-1369
Could not set mapping of UID 10557 to sid 
S-1-5-21-893289765-2623729106-2343379446-1587
...
--------------------------

The ldap.log shows an equally long list of suspect entries:

---------------------------
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7233 ADD 
dn="sambaSID=S-1-5-21-25438887-418410483-241655303-3099,ou=idmap,dc=aces-web"
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7233 RESULT 
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7234 ADD 
dn="sambaSID=S-1-5-21-25438887-418410483-241655303-2867,ou=idmap,dc=aces-web"
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7234 RESULT 
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7235 ADD 
dn="sambaSID=S-1-5-21-25438887-418410483-241655303-1279,ou=idmap,dc=aces-web"
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7235 RESULT 
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7236 ADD 
dn="sambaSID=S-1-5-21-25438887-418410483-241655303-2435,ou=idmap,dc=aces-web"
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7236 RESULT 
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7237 ADD 
dn="sambaSID=S-1-5-21-25438887-418410483-241655303-2893,ou=idmap,dc=aces-web"
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7237 RESULT 
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7238 ADD 
dn="sambaSID=S-1-5-21-893289765-2623729106-2343379446-2458,ou=idmap,dc=aces-web" 

May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7238 RESULT 
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7239 ADD 
dn="sambaSID=S-1-5-21-893289765-2623729106-2343379446-1417,ou=idmap,dc=aces-web" 

May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7239 RESULT 
tag=105 err=68 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7240 ADD 
dn="sambaSID=S-1-5-21-893289765-2623729106-2343379446-2676,ou=idmap,dc=aces-web" 

May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7240 RESULT 
tag=105 err=0 text=
May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7241 ADD 
dn="sambaSID=S-1-5-21-893289765-2623729106-2343379446-2401,ou=idmap,dc=aces-web" 

May 10 01:07:21 lns-0 slapd2.3[7972]: conn=8624 op=7241 RESULT 
tag=105 err=0 text=
....
---------------------------

Afterward, testing the UID mappings that should have been established 
(by 'getent passwd {username}' results in allocation of a new number.

My first thought was that perhaps I missed the original patch for 
this problem, so I reset the smb.conf back from ldap to tdb mode, 
cleaned out /var/lib/samba/ and restarted the smb & winbind service, 
then issued the same 'net idmap restore' command -- which finished 
without a single error, and successfully initialized all the 
users/groups to their correct UID/GID.

So, the previous patch fixes TDB mode, but that particular problem 
appears to still exist under LDAP mode.

If there is any additional info you need (or tests to run) to help 
diagnose this problem, I'd be glad to try to get it for you.

Cheers,
-D



Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759

More information about the samba mailing list