The Samba-Bugzilla – Attachment 18288 Details for
Bug 15605
Improve performance of lookup_groupmem() in idmap_ad
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
4.20.patch
lookup_groupmem-4.20.patch (text/plain), 7.16 KB, created by
Pavel Filipenský
on 2024-04-16 14:38:53 UTC
(
hide
)
Description:
4.20.patch
Filename:
MIME Type:
Creator:
Pavel Filipenský
Created:
2024-04-16 14:38:53 UTC
Size:
7.16 KB
patch
obsolete
>From 2b478bafd808218d3471fd5b1c9dc7d8e528cdb0 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Wed, 13 Mar 2024 13:55:41 +0100 >Subject: [PATCH 1/4] docs-xml: Add parameter all_groupmem to idmap_ad >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit a485d9de2f2d6a9815dcac6addb988a8987e111c) >--- > docs-xml/manpages/idmap_ad.8.xml | 10 ++++++++++ > 1 file changed, 10 insertions(+) > >diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml >index 32df8d066c2..c7fcc65d763 100644 >--- a/docs-xml/manpages/idmap_ad.8.xml >+++ b/docs-xml/manpages/idmap_ad.8.xml >@@ -105,6 +105,16 @@ > </listitem> > </varlistentry> > <varlistentry> >+ <term>all_groupmem = yes/no</term> >+ <listitem><para> >+ If set to <parameter>yes</parameter> winbind will retrieve all >+ group members for getgrnam(3), getgrgid(3) and getgrent(3) calls, >+ including those with missing uidNumber. >+ </para> >+ <para>Default: no</para> >+ </listitem> >+ </varlistentry> >+ <varlistentry> > <term>deny ous</term> > <listitem><para>This parameter is a list of OUs from > which objects will not be mapped via the ad idmap >-- >2.41.0 > > >From 2259b59220b625cd682a3d22024ab442a56ecc3a Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Tue, 12 Mar 2024 13:20:24 +0100 >Subject: [PATCH 2/4] s3:winbindd: Improve performance of lookup_groupmem() in > idmap_ad >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >The LDAP query of lookup_groupmem() returns all group members from AD >even those with missing uidNumber. Such group members are useless in >UNIX environment for idmap_ad backend since there is no uid mapping. > >'test_user' is member of group "Domanin Users" with 200K members, >only 20K members have set uidNumber. > >Without this fix: > >$ time id test_user > >real 1m5.946s >user 0m0.019s >sys 0m0.012s > >With this fix: > >$ time id test_user > >real 0m3.544s >user 0m0.004s >sys 0m0.007s > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 5d475d26a3d545f04791a04e85a06b8b192e3fcf) >--- > source3/winbindd/winbindd_ads.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > >diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c >index 7e572e5d41f..7d6324033ea 100644 >--- a/source3/winbindd/winbindd_ads.c >+++ b/source3/winbindd/winbindd_ads.c >@@ -1039,7 +1039,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, > } > > static NTSTATUS add_primary_group_members( >- ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, >+ ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, const char *domname, > char ***all_members, size_t *num_all_members) > { > char *filter; >@@ -1051,10 +1051,13 @@ static NTSTATUS add_primary_group_members( > char **members; > size_t num_members; > ads_control args; >+ bool all_groupmem = idmap_config_bool(domname, "all_groupmem", false); > > filter = talloc_asprintf( >- mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))", >- (unsigned)rid); >+ mem_ctx, >+ "(&(objectCategory=user)(primaryGroupID=%u)%s)", >+ (unsigned)rid, >+ all_groupmem ? "" : "(uidNumber=*)(!(uidNumber=0))"); > if (filter == NULL) { > goto done; > } >@@ -1206,7 +1209,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, > > DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members)); > >- status = add_primary_group_members(ads, mem_ctx, rid, >+ status = add_primary_group_members(ads, mem_ctx, rid, domain->name, > &members, &num_members); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(10, ("%s: add_primary_group_members failed: %s\n", >-- >2.41.0 > > >From 84b6ef6a95d821e44462105250ce50d124a62150 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Mon, 25 Mar 2024 22:38:18 +0100 >Subject: [PATCH 3/4] selftest: Add "winbind expand groups = 1" to > setup_ad_member_idmap_ad >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a) >--- > selftest/target/Samba3.pm | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index bbce55ea508..cf40633d127 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -1420,6 +1420,7 @@ sub setup_ad_member_idmap_ad > idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999 > gensec_gssapi:requested_life_time = 5 > winbind scan trusted domains = yes >+ winbind expand groups = 1 > "; > > my $ret = $self->provision( >-- >2.41.0 > > >From 550c6218e83468874a6a11295a7b08b148d1295a Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Thu, 14 Mar 2024 15:24:21 +0100 >Subject: [PATCH 4/4] tests: Add a test for "all_groups=no" to test_idmap_ad.sh >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org> >Autobuild-Date(master): Tue Apr 2 13:25:39 UTC 2024 on atb-devel-224 > >(cherry picked from commit f8b72aa1f72881989990fabc9f4888968bb81967) >--- > nsswitch/tests/test_idmap_ad.sh | 22 ++++++++++++++++++++++ > 1 file changed, 22 insertions(+) > >diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh >index 7ae112ada71..1d4bd395ba9 100755 >--- a/nsswitch/tests/test_idmap_ad.sh >+++ b/nsswitch/tests/test_idmap_ad.sh >@@ -94,6 +94,14 @@ gidNumber: 2000001 > unixHomeDirectory: /home/forbidden > loginShell: /bin/tcsh > gecos: User in forbidden OU >+ >+dn: CN=no_posix_id,CN=Users,$BASE_DN >+changetype: add >+objectClass: user >+samaccountName: no_posix_id >+unixHomeDirectory: /home/no_posix_id >+loginShell: /bin/sh >+gecos: User without uidNumber and gidNumber > EOF > > # >@@ -171,6 +179,17 @@ then > failed=$(($failed + 1)) > fi > >+# >+# Test 6: Make sure that with the default "all_groups=no" >+# the group "domain users" will not show user "no_posix_id" >+# but will show "SAMBA2008R2/administrator" >+# >+ >+dom_users="$DOMAIN/domain users" # Extra step to make sure that all is one word >+out="$($wbinfo --group-info "$dom_users")" >+testit_grep_count "no_posix_id1" "no_posix_id" 0 echo "$out" || failed=$(expr $failed + 1) >+testit_grep "no_posix_id2" "SAMBA2008R2/administrator" echo "$out" || failed=$(expr $failed + 1) >+ > # > # Trusted domain test 1: Test uid of Administrator, should be 2500000 > # >@@ -241,6 +260,9 @@ gidNumber: 2000002 > dn: cn=forbidden,ou=sub,$BASE_DN > changetype: delete > >+dn: CN=no_posix_id,CN=Users,$BASE_DN >+changetype: delete >+ > dn: ou=sub,$BASE_DN > changetype: delete > EOF >-- >2.41.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 15605
: 18288