Bug 10487 - GETGRENT func. fail the evaluation loop if any DC can not be connected.
GETGRENT func. fail the evaluation loop if any DC can not be connected.
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
unspecified
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-07 15:52 UTC by Jura Sasek
Modified: 2014-03-14 10:26 UTC (History)
0 users

See Also:


Attachments
Fix of "id -a" issue (1.30 KB, patch)
2014-03-07 15:52 UTC, Jura Sasek
no flags Details
fix of getgrent (1.28 KB, patch)
2014-03-14 10:26 UTC, Jura Sasek
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jura Sasek 2014-03-07 15:52:19 UTC
Created attachment 9755 [details]
Fix of "id -a" issue

GETGRENT loop running across the trusted domains stops evaluation when any of the DCs is off-line (can not connect error) and no group is returned.

This issue affects commands like a:

getent group
...no MS domain group is returned (only the groups from the other nsswitch.conf "group" tables)

id -a <user>
...no auxiliary groups are returned (SVR4 "id" is not using the getgroupbyname() interface)

Affected Samba releases are 4.1.x, 3.6.x patch is the same for both.
Comment 1 Jura Sasek 2014-03-14 10:11:45 UTC
Comment on attachment 9755 [details]
Fix of "id -a" issue

> Samba Winbind GETGRENT interface fails when any trusted domain is not available
>
>--- a/nsswitch/wb_common.c	2014-02-07 17:26:50.046234000 +0100
>+++ b/nsswitch/wb_common.c	2014-02-07 17:33:40.280002000 +0100
>@@ -462,7 +462,7 @@
> 
> 		if (ret == 0) {
> 			/* Not ready for read yet... */
>-			if (total_time >= 30) {
>+			if (total_time >= 1000) {
> 				/* Timeout */
> 				winbind_close_sock();
> 				return -1;
>--- a/source3/winbindd/wb_next_grent.c	2014-02-07 17:27:14.079647000 +0100
>+++ b/source3/winbindd/wb_next_grent.c	2014-02-07 17:58:36.599520000 +0100
>@@ -103,18 +103,16 @@
> 	TALLOC_FREE(subreq);
> 	if (tevent_req_nterror(req, status)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s\n",
>+		DEBUG(3, ("query_user_list for domain %s returned: %s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status)));
>-		return;
> 	}
> 	if (!NT_STATUS_IS_OK(result)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s/%s\n",
>+		DEBUG(1, ("query_user_list for domain %s failed with: %s/%s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status), nt_errstr(result)));
>-		tevent_req_nterror(req, result);
>-		return;
>+		state->gstate->num_groups = 0;
> 	}
> 
> 	state->gstate->num_groups = state->next_groups.num_principals;
Comment 2 Jura Sasek 2014-03-14 10:13:38 UTC
Comment on attachment 9755 [details]
Fix of "id -a" issue

> Samba Winbind GETGRENT interface fails when any trusted domain is not available
>
>--- a/nsswitch/wb_common.c	2014-02-07 17:26:50.046234000 +0100
>+++ b/nsswitch/wb_common.c	2014-02-07 17:33:40.280002000 +0100
>@@ -462,7 +462,7 @@
> 
> 		if (ret == 0) {
> 			/* Not ready for read yet... */
>-			if (total_time >= 30) {
>+			if (total_time >= 1000) {
> 				/* Timeout */
> 				winbind_close_sock();
> 				return -1;
>--- a/source3/winbindd/wb_next_grent.c	2014-02-07 17:27:14.079647000 +0100
>+++ b/source3/winbindd/wb_next_grent.c	2014-02-07 17:58:36.599520000 +0100
>@@ -103,18 +103,16 @@
> 	TALLOC_FREE(subreq);
> 	if (tevent_req_nterror(req, status)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s\n",
>+		DEBUG(3, ("query_user_list for domain %s returned: %s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status)));
>-		return;
> 	}
> 	if (!NT_STATUS_IS_OK(result)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s/%s\n",
>+		DEBUG(1, ("query_user_list for domain %s failed with: %s/%s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status), nt_errstr(result)));
>-		tevent_req_nterror(req, result);
>-		return;
>+		state->gstate->num_groups = 0;
> 	}
> 
> 	state->gstate->num_groups = state->next_groups.num_principals;
Comment 3 Jura Sasek 2014-03-14 10:14:24 UTC
Comment on attachment 9755 [details]
Fix of "id -a" issue

 Samba Winbind GETGRENT interface fails when any trusted domain is not available
>
>--- a/nsswitch/wb_common.c	2014-02-07 17:26:50.046234000 +0100
>+++ b/nsswitch/wb_common.c	2014-02-07 17:33:40.280002000 +0100
>@@ -462,7 +462,7 @@
> 
> 		if (ret == 0) {
> 			/* Not ready for read yet... */
>-			if (total_time >= 30) {
>+			if (total_time >= 1000) {
> 				/* Timeout */
> 				winbind_close_sock();
> 				return -1;
>--- a/source3/winbindd/wb_next_grent.c	2014-02-07 17:27:14.079647000 +0100
>+++ b/source3/winbindd/wb_next_grent.c	2014-02-07 17:58:36.599520000 +0100
>@@ -103,18 +103,16 @@
> 	TALLOC_FREE(subreq);
> 	if (tevent_req_nterror(req, status)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s\n",
>+		DEBUG(3, ("query_user_list for domain %s returned: %s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status)));
>-		return;
> 	}
> 	if (!NT_STATUS_IS_OK(result)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s/%s\n",
>+		DEBUG(1, ("query_user_list for domain %s failed with: %s/%s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status), nt_errstr(result)));
>-		tevent_req_nterror(req, result);
>-		return;
>+		state->gstate->num_groups = 0;
> 	}
> 
> 	state->gstate->num_groups = state->next_groups.num_principals;
Comment 4 Jura Sasek 2014-03-14 10:19:57 UTC
Comment on attachment 9755 [details]
Fix of "id -a" issue

> Samba Winbind GETGRENT interface fails when any trusted domain is not available
>
>--- a/nsswitch/wb_common.c	2014-02-07 17:26:50.046234000 +0100
>+++ b/nsswitch/wb_common.c	2014-02-07 17:33:40.280002000 +0100
>@@ -462,7 +462,7 @@
> 
> 		if (ret == 0) {
> 			/* Not ready for read yet... */
>-			if (total_time >= 30) {
>+			if (total_time >= 1000) {
> 				/* Timeout */
> 				winbind_close_sock();
> 				return -1;
>--- a/source3/winbindd/wb_next_grent.c	2014-02-07 17:27:14.079647000 +0100
>+++ b/source3/winbindd/wb_next_grent.c	2014-02-07 17:58:36.599520000 +0100
>@@ -103,18 +103,16 @@
> 	TALLOC_FREE(subreq);
> 	if (tevent_req_nterror(req, status)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s\n",
>+		DEBUG(3, ("query_user_list for domain %s returned: %s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status)));
>-		return;
> 	}
> 	if (!NT_STATUS_IS_OK(result)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s/%s\n",
>+		DEBUG(1, ("query_user_list for domain %s failed with: %s/%s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status), nt_errstr(result)));
>-		tevent_req_nterror(req, result);
>-		return;
>+		state->gstate->num_groups = 0;
> 	}
> 
> 	state->gstate->num_groups = state->next_groups.num_principals;
Comment 5 Jura Sasek 2014-03-14 10:26:55 UTC
Created attachment 9774 [details]
fix of getgrent

Later fix