[Samba] Possible problem w/ 'idmap restore' under 3.0.25rc3 (the sequel)

simo idra at samba.org
Fri May 11 12:17:32 GMT 2007

On Thu, 2007-05-10 at 01:54 -0500, Don Meyer wrote:
> At 04:40 PM 5/9/2007, simo wrote:
> >On Fri, 2007-05-04 at 19:14 -0500, Don Meyer wrote:
> > > At 06:00 PM 5/4/2007, simo wrote:
> > > >Sorry for the problem, this slipped through during recent patches to fix
> > > >the sid checking layer violation and the idmap offline code.
> > >
> > > No problem.
> > >
> > > I may have another for you, however.   This patch enables me to
> > > successfully restore when using a tdb backend.  However, when using
> > > idmap_ldap, it seems that winbind is opening a connection to the ldap
> > > server and not closing it for many updates/queries.
> > >
> > > When I try 'net idmap restore' when using idmap_ldap, the command
> > > will plug away until the ldap server starts complaining "accept(8)
> > > failed errno=24 (Too many open files)".   netstat -aln shows around
> > > 1000 open connections from winbind on another system. (The one 
> > with 3.0.25rc3+)
> >
> >Found the problem, see patch for revision 22771.
> >Another one-liner :/
> >
> >Thanks again for testing rc3 out.
> Simo, you are going to think I'm picking on you, but I think we may 
> have yet another problem...

No, if there are problem, better to know.

> The 22771 patch does fix winbindd's abuse of the ldap server -- when 
> I start winbind, it opens two sessions to the ldap server.  When I 
> subsequently try the 'net idmap restore' command to restore several 
> thousand SID-UID/GID mappings,  all the transactions flow one of 
> those TCP sessions.  However, the command throws a huge list of 
> errors (thousands) that we've seen before IIRC, and we thought you 
> had fixed with patch 22677:


> Afterward, testing the UID mappings that should have been established 
> (by 'getent passwd {username}' results in allocation of a new number.

I need to know what error you get, I have no errors in storing the IDs,
They get created in ldap for me.
Maybe you can get to the real error the server returns?

> My first thought was that perhaps I missed the original patch for 
> this problem, so I reset the smb.conf back from ldap to tdb mode, 
> cleaned out /var/lib/samba/ and restarted the smb & winbind service, 
> then issued the same 'net idmap restore' command -- which finished 
> without a single error, and successfully initialized all the 
> users/groups to their correct UID/GID.
> So, the previous patch fixes TDB mode, but that particular problem 
> appears to still exist under LDAP mode.
> If there is any additional info you need (or tests to run) to help 
> diagnose this problem, I'd be glad to try to get it for you.

Need to know why the ldap server refuses to create the entries.
I can't repro this.

Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org

More information about the samba mailing list