Created attachment 9755 [details] Fix of "id -a" issue GETGRENT loop running across the trusted domains stops evaluation when any of the DCs is off-line (can not connect error) and no group is returned. This issue affects commands like a: getent group ...no MS domain group is returned (only the groups from the other nsswitch.conf "group" tables) id -a <user> ...no auxiliary groups are returned (SVR4 "id" is not using the getgroupbyname() interface) Affected Samba releases are 4.1.x, 3.6.x patch is the same for both.
Comment on attachment 9755 [details] Fix of "id -a" issue > Samba Winbind GETGRENT interface fails when any trusted domain is not available > >--- a/nsswitch/wb_common.c 2014-02-07 17:26:50.046234000 +0100 >+++ b/nsswitch/wb_common.c 2014-02-07 17:33:40.280002000 +0100 >@@ -462,7 +462,7 @@ > > if (ret == 0) { > /* Not ready for read yet... */ >- if (total_time >= 30) { >+ if (total_time >= 1000) { > /* Timeout */ > winbind_close_sock(); > return -1; >--- a/source3/winbindd/wb_next_grent.c 2014-02-07 17:27:14.079647000 +0100 >+++ b/source3/winbindd/wb_next_grent.c 2014-02-07 17:58:36.599520000 +0100 >@@ -103,18 +103,16 @@ > TALLOC_FREE(subreq); > if (tevent_req_nterror(req, status)) { > /* Ignore errors here, just log it */ >- DEBUG(10, ("query_user_list for domain %s returned %s\n", >+ DEBUG(3, ("query_user_list for domain %s returned: %s\n", > state->gstate->domain->name, > nt_errstr(status))); >- return; > } > if (!NT_STATUS_IS_OK(result)) { > /* Ignore errors here, just log it */ >- DEBUG(10, ("query_user_list for domain %s returned %s/%s\n", >+ DEBUG(1, ("query_user_list for domain %s failed with: %s/%s\n", > state->gstate->domain->name, > nt_errstr(status), nt_errstr(result))); >- tevent_req_nterror(req, result); >- return; >+ state->gstate->num_groups = 0; > } > > state->gstate->num_groups = state->next_groups.num_principals;
Comment on attachment 9755 [details] Fix of "id -a" issue Samba Winbind GETGRENT interface fails when any trusted domain is not available > >--- a/nsswitch/wb_common.c 2014-02-07 17:26:50.046234000 +0100 >+++ b/nsswitch/wb_common.c 2014-02-07 17:33:40.280002000 +0100 >@@ -462,7 +462,7 @@ > > if (ret == 0) { > /* Not ready for read yet... */ >- if (total_time >= 30) { >+ if (total_time >= 1000) { > /* Timeout */ > winbind_close_sock(); > return -1; >--- a/source3/winbindd/wb_next_grent.c 2014-02-07 17:27:14.079647000 +0100 >+++ b/source3/winbindd/wb_next_grent.c 2014-02-07 17:58:36.599520000 +0100 >@@ -103,18 +103,16 @@ > TALLOC_FREE(subreq); > if (tevent_req_nterror(req, status)) { > /* Ignore errors here, just log it */ >- DEBUG(10, ("query_user_list for domain %s returned %s\n", >+ DEBUG(3, ("query_user_list for domain %s returned: %s\n", > state->gstate->domain->name, > nt_errstr(status))); >- return; > } > if (!NT_STATUS_IS_OK(result)) { > /* Ignore errors here, just log it */ >- DEBUG(10, ("query_user_list for domain %s returned %s/%s\n", >+ DEBUG(1, ("query_user_list for domain %s failed with: %s/%s\n", > state->gstate->domain->name, > nt_errstr(status), nt_errstr(result))); >- tevent_req_nterror(req, result); >- return; >+ state->gstate->num_groups = 0; > } > > state->gstate->num_groups = state->next_groups.num_principals;
Created attachment 9774 [details] fix of getgrent Later fix