From Daniel Liberman: I have a small patch to propose. We had a small problem with ‘net ads search’es on some customer networks (definitely WANs). Apparently when the latency is too high, if we query for all the accounts in an Active Directory domain with a large number of users/groups, it will return just part of the accounts (instead of the whole set), but not all of them. Running with detailed debugs, it gives us a clue why: ads_do_paged_search_args: ldap_search_with_timeout((sAMAccountType=805306368)) -> Time limit exceeded After that I started to try and reproduce the problem here. So reduced ldap timeout to 1 second on smb.conf, and simulated a high latency (~200ms) in our linux router between the client and the domain controller. I can reproduce the scenario consistently. The real problem is: when just a subset of the accounts is returned, the error code from the net ads search command is 0, and no message is printed to stderr. Some other times no account is returned, and we have the error message, and it returns -1. So, basically, we were mislead to believe the command worked, when it didn’t. After debugging a lot I realized the problem: inside ads_do_search_all_args(), if the first call to ads_do_paged_search_args(), the proper error status is returned. And in this case no account is returned, so this scenario is OK. But, if the execution is already inside the loop to get all the accounts doing several calls to ads_do_paged_search_args(), and one of these calls times out, the status returned is from the *first* call, so success. This causes net_ads_search() to interpret the return from ads_do_search_retry() as success and print all the accounts returned, but it’s only a subset. This patch attached fixes this behavior: it returns the proper error code on ads_do_search_all_args(). I also modified net_ads_search() to dump all the replies found so far anyway, and then return -1 in case of an error. Just another piece of information: something very similar must happen on “net ads user” calls (and others). We have had this problem in the past, several times, and never got to the bottom of the issue: it returned only a subset of the accounts, but the result from the command was not an error. I always thought it returned cached information, or something. Since (now I know that) net ads user also uses the LDAP search mechanism, we could even apply the same “fix” to other commands.
I'll upload the patch shortly once I've got it into master. Jeremy.
Created attachment 9616 [details] git-am fix that went into master. Applies cleanly to 4.0.next, 4.1.next. Jeremy.
Comment on attachment 9616 [details] git-am fix that went into master. Sigh. This got dropped :-(. Adding more reviewers - already gone into master. Jeremy.
Comment on attachment 9616 [details] git-am fix that went into master. The code change looks good, but the commit is missing the authors signed-off-by tag.
Pinged Daniel to get his signed-off-by. Jeremy.
Created attachment 9723 [details] Updated with Daniel's signed-off-by.
Comment on attachment 9723 [details] Updated with Daniel's signed-off-by. LGTM.
Re-assigning to Karolin for inclusion in 4.0.next, 4.1.next. Jeremy.
Pushed to autobuild-v4-1-test and autobuild-v4-0-test.
(In reply to comment #9) > Pushed to autobuild-v4-1-test and autobuild-v4-0-test. Pushed to v4-1-test and v4-0-test. Closing out bug report. Thanks!