[PATCH] bug 11259 - get smbd to use winbindd to prime the netsamlogon and name2sid caches.
Christof Schmitt
cs at samba.org
Wed Sep 28 18:50:06 UTC 2016
On Wed, Sep 28, 2016 at 11:28:47AM -0700, Jeremy Allison wrote:
> On Wed, Sep 28, 2016 at 09:01:15PM +0300, Uri Simchoni wrote:
>
> > That would be great.
> >
> > I haven't researched this fully and right now I have other duties to
> > attend to, but I see signs of fishiness with the sequence number refresh
> > from the parent process (I made two session setups 7 minutes apart, got
> > a new ldap connection opened for each one instead of reusing the
> > connection, with all the discovery enchilada). This could be some
> > consequence of my setup, or it could be a bug, which went undetected
> > because the sequence number from parent code path is not used often.
> >
> > I'll be happier knowing that we don't introduce another blocking network
> > request in the parent.
>
> Feel free to add this to the patchset once it's gone
> in if you want it.
This is not related to the core issue here, but just to understand what
is going on: Can someone point me to a reference what this sequence
number is and how it is used in winbindd?
Christof
>
> Cheers,
>
> Jeremy.
> From ea6700f321c4b6b2b0b59d7f371f0732a529cd3e Mon Sep 17 00:00:00 2001
> From: Jeremy Allison <jra at samba.org>
> Date: Wed, 28 Sep 2016 11:26:04 -0700
> Subject: [PATCH] s3: winbind: Trust name2sid mappings from the PAC.
>
> Don't refresh sequence number in parent as the
> mapping comes from a trusted DC.
>
> Signed-off-by: Jeremy Allison <jra at samba.org>
> ---
> source3/winbindd/winbindd_cache.c | 19 +++++++++++++++++++
> source3/winbindd/winbindd_pam.c | 2 +-
> source3/winbindd/winbindd_proto.h | 5 +++++
> 3 files changed, 25 insertions(+), 1 deletion(-)
>
> diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
> index 2bce12d..3e01ff0 100644
> --- a/source3/winbindd/winbindd_cache.c
> +++ b/source3/winbindd/winbindd_cache.c
> @@ -3339,6 +3339,25 @@ bool lookup_cached_name(const char *domain_name,
> return NT_STATUS_IS_OK(status);
> }
>
> +/*
> + * Cache a name to sid without checking the sequence number.
> + * Used when caching from a trusted PAC.
> + */
> +
> +void cache_name2sid_trusted(struct winbindd_domain *domain,
> + const char *domain_name,
> + const char *name,
> + enum lsa_SidType type,
> + const struct dom_sid *sid)
> +{
> + wcache_save_name_to_sid(domain,
> + NT_STATUS_OK,
> + domain_name,
> + name,
> + sid,
> + type);
> +}
> +
> void cache_name2sid(struct winbindd_domain *domain,
> const char *domain_name, const char *name,
> enum lsa_SidType type, const struct dom_sid *sid)
> diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
> index da874c7..8456876 100644
> --- a/source3/winbindd/winbindd_pam.c
> +++ b/source3/winbindd/winbindd_pam.c
> @@ -2598,7 +2598,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
> info3_copy->base.domain_sid,
> info3_copy->base.rid);
>
> - cache_name2sid(domain,
> + cache_name2sid_trusted(domain,
> info3_copy->base.logon_domain.string,
> info3_copy->base.account_name.string,
> SID_NAME_USER,
> diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
> index 4d99927..5e3d9fb 100644
> --- a/source3/winbindd/winbindd_proto.h
> +++ b/source3/winbindd/winbindd_proto.h
> @@ -86,6 +86,11 @@ bool lookup_cached_name(const char *domain_name,
> const char *name,
> struct dom_sid *sid,
> enum lsa_SidType *type);
> +void cache_name2sid_trusted(struct winbindd_domain *domain,
> + const char *domain_name,
> + const char *name,
> + enum lsa_SidType type,
> + const struct dom_sid *sid);
> void cache_name2sid(struct winbindd_domain *domain,
> const char *domain_name, const char *name,
> enum lsa_SidType type, const struct dom_sid *sid);
> --
> 2.7.4
>
More information about the samba-technical
mailing list