10487 – GETGRENT func. fail the evaluation loop if any DC can not be connected.

Bug 10487 - GETGRENT func. fail the evaluation loop if any DC can not be connected.

Summary: GETGRENT func. fail the evaluation loop if any DC can not be connected.

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-03-07 15:52 UTC by Jura Sasek
Modified:	2014-03-14 10:26 UTC (History)
CC List:	0 users

See Also:

Attachments
Fix of "id -a" issue (1.30 KB, patch) 2014-03-07 15:52 UTC, Jura Sasek	no flags	Details
fix of getgrent (1.28 KB, patch) 2014-03-14 10:26 UTC, Jura Sasek	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jura Sasek 2014-03-07 15:52:19 UTC

Created attachment 9755 [details]
Fix of "id -a" issue

GETGRENT loop running across the trusted domains stops evaluation when any of the DCs is off-line (can not connect error) and no group is returned.

This issue affects commands like a:

getent group
...no MS domain group is returned (only the groups from the other nsswitch.conf "group" tables)

id -a <user>
...no auxiliary groups are returned (SVR4 "id" is not using the getgroupbyname() interface)

Affected Samba releases are 4.1.x, 3.6.x patch is the same for both.

Comment 1 Jura Sasek 2014-03-14 10:11:45 UTC

Comment on attachment 9755 [details]
Fix of "id -a" issue

> Samba Winbind GETGRENT interface fails when any trusted domain is not available
>
>--- a/nsswitch/wb_common.c	2014-02-07 17:26:50.046234000 +0100
>+++ b/nsswitch/wb_common.c	2014-02-07 17:33:40.280002000 +0100
>@@ -462,7 +462,7 @@
> 
> 		if (ret == 0) {
> 			/* Not ready for read yet... */
>-			if (total_time >= 30) {
>+			if (total_time >= 1000) {
> 				/* Timeout */
> 				winbind_close_sock();
> 				return -1;
>--- a/source3/winbindd/wb_next_grent.c	2014-02-07 17:27:14.079647000 +0100
>+++ b/source3/winbindd/wb_next_grent.c	2014-02-07 17:58:36.599520000 +0100
>@@ -103,18 +103,16 @@
> 	TALLOC_FREE(subreq);
> 	if (tevent_req_nterror(req, status)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s\n",
>+		DEBUG(3, ("query_user_list for domain %s returned: %s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status)));
>-		return;
> 	}
> 	if (!NT_STATUS_IS_OK(result)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s/%s\n",
>+		DEBUG(1, ("query_user_list for domain %s failed with: %s/%s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status), nt_errstr(result)));
>-		tevent_req_nterror(req, result);
>-		return;
>+		state->gstate->num_groups = 0;
> 	}
> 
> 	state->gstate->num_groups = state->next_groups.num_principals;

Comment 2 Jura Sasek 2014-03-14 10:13:38 UTC

Comment on attachment 9755 [details]
Fix of "id -a" issue

> Samba Winbind GETGRENT interface fails when any trusted domain is not available
>
>--- a/nsswitch/wb_common.c	2014-02-07 17:26:50.046234000 +0100
>+++ b/nsswitch/wb_common.c	2014-02-07 17:33:40.280002000 +0100
>@@ -462,7 +462,7 @@
> 
> 		if (ret == 0) {
> 			/* Not ready for read yet... */
>-			if (total_time >= 30) {
>+			if (total_time >= 1000) {
> 				/* Timeout */
> 				winbind_close_sock();
> 				return -1;
>--- a/source3/winbindd/wb_next_grent.c	2014-02-07 17:27:14.079647000 +0100
>+++ b/source3/winbindd/wb_next_grent.c	2014-02-07 17:58:36.599520000 +0100
>@@ -103,18 +103,16 @@
> 	TALLOC_FREE(subreq);
> 	if (tevent_req_nterror(req, status)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s\n",
>+		DEBUG(3, ("query_user_list for domain %s returned: %s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status)));
>-		return;
> 	}
> 	if (!NT_STATUS_IS_OK(result)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s/%s\n",
>+		DEBUG(1, ("query_user_list for domain %s failed with: %s/%s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status), nt_errstr(result)));
>-		tevent_req_nterror(req, result);
>-		return;
>+		state->gstate->num_groups = 0;
> 	}
> 
> 	state->gstate->num_groups = state->next_groups.num_principals;

Comment 3 Jura Sasek 2014-03-14 10:14:24 UTC

Comment on attachment 9755 [details]
Fix of "id -a" issue

 Samba Winbind GETGRENT interface fails when any trusted domain is not available
>
>--- a/nsswitch/wb_common.c	2014-02-07 17:26:50.046234000 +0100
>+++ b/nsswitch/wb_common.c	2014-02-07 17:33:40.280002000 +0100
>@@ -462,7 +462,7 @@
> 
> 		if (ret == 0) {
> 			/* Not ready for read yet... */
>-			if (total_time >= 30) {
>+			if (total_time >= 1000) {
> 				/* Timeout */
> 				winbind_close_sock();
> 				return -1;
>--- a/source3/winbindd/wb_next_grent.c	2014-02-07 17:27:14.079647000 +0100
>+++ b/source3/winbindd/wb_next_grent.c	2014-02-07 17:58:36.599520000 +0100
>@@ -103,18 +103,16 @@
> 	TALLOC_FREE(subreq);
> 	if (tevent_req_nterror(req, status)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s\n",
>+		DEBUG(3, ("query_user_list for domain %s returned: %s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status)));
>-		return;
> 	}
> 	if (!NT_STATUS_IS_OK(result)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s/%s\n",
>+		DEBUG(1, ("query_user_list for domain %s failed with: %s/%s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status), nt_errstr(result)));
>-		tevent_req_nterror(req, result);
>-		return;
>+		state->gstate->num_groups = 0;
> 	}
> 
> 	state->gstate->num_groups = state->next_groups.num_principals;

Comment 4 Jura Sasek 2014-03-14 10:19:57 UTC

Comment on attachment 9755 [details]
Fix of "id -a" issue

> Samba Winbind GETGRENT interface fails when any trusted domain is not available
>
>--- a/nsswitch/wb_common.c	2014-02-07 17:26:50.046234000 +0100
>+++ b/nsswitch/wb_common.c	2014-02-07 17:33:40.280002000 +0100
>@@ -462,7 +462,7 @@
> 
> 		if (ret == 0) {
> 			/* Not ready for read yet... */
>-			if (total_time >= 30) {
>+			if (total_time >= 1000) {
> 				/* Timeout */
> 				winbind_close_sock();
> 				return -1;
>--- a/source3/winbindd/wb_next_grent.c	2014-02-07 17:27:14.079647000 +0100
>+++ b/source3/winbindd/wb_next_grent.c	2014-02-07 17:58:36.599520000 +0100
>@@ -103,18 +103,16 @@
> 	TALLOC_FREE(subreq);
> 	if (tevent_req_nterror(req, status)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s\n",
>+		DEBUG(3, ("query_user_list for domain %s returned: %s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status)));
>-		return;
> 	}
> 	if (!NT_STATUS_IS_OK(result)) {
> 		/* Ignore errors here, just log it */
>-		DEBUG(10, ("query_user_list for domain %s returned %s/%s\n",
>+		DEBUG(1, ("query_user_list for domain %s failed with: %s/%s\n",
> 			   state->gstate->domain->name,
> 			   nt_errstr(status), nt_errstr(result)));
>-		tevent_req_nterror(req, result);
>-		return;
>+		state->gstate->num_groups = 0;
> 	}
> 
> 	state->gstate->num_groups = state->next_groups.num_principals;

Comment 5 Jura Sasek 2014-03-14 10:26:55 UTC

Created attachment 9774 [details]
fix of getgrent

Later fix