Bug 11267 - Winbindd does not reuse ldap connections if the connection is signed or sealed
Winbindd does not reuse ldap connections if the connection is signed or sealed
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.2.1
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-05-10 04:34 UTC by Uri Simchoni
Modified: 2015-05-21 08:10 UTC (History)
2 users (show)

See Also:


Attachments
Proposed fix (1.83 KB, patch)
2015-05-10 04:38 UTC, Uri Simchoni
no flags Details
Slight change to deal with context already expired. (2.00 KB, patch)
2015-05-11 17:28 UTC, Jeremy Allison
no flags Details
git-am fix for master. (2.11 KB, patch)
2015-05-12 19:04 UTC, Jeremy Allison
no flags Details
git-am cherry-pick from master for 4.2.next, 4.1.next. (2.49 KB, patch)
2015-05-13 16:39 UTC, Jeremy Allison
slow: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Uri Simchoni 2015-05-10 04:34:25 UTC
When parameter "client ldap sasl wrapping" is set to "signed" or "sealed", ldap connections are not being reused. Each ldap query to the same DC results in closing the previous ldap connection and opening a new one with all the sasl binding process.
The reopening of the connection involves several round-trips which has significance where RTT is not negligible or where other network issues exist.

The issue can be evident from the packet traces and logs of https://bugzilla.samba.org/show_bug.cgi?id=11259:
- The scenrario is two users doing session setup one after the other. First user uris, then user uris2.
- For each user, an ldap query is made to retrieve info on the user (which is the subject of that bug)
- In packet 21314 we see that winbindd closes the ldap connection that was created to cater user uris, and then immediately starts the process of opening a new connection to cater user uris2.
- The log shows in line 23269:
"Current tickets expire in -1430903792 seconds (at 0, time is now 1430903792)"
i.e. the end time of the tgt or the service ticket is not recorded in the ads struct.
Comment 1 Uri Simchoni 2015-05-10 04:38:27 UTC
Created attachment 11039 [details]
Proposed fix
Comment 2 Jeremy Allison 2015-05-11 17:28:56 UTC
Created attachment 11041 [details]
Slight change to deal with context already expired.

Does this also work for you ?
Comment 3 Jeremy Allison 2015-05-12 19:04:49 UTC
Created attachment 11048 [details]
git-am fix for master.

Updated to use GSS_ constants.
Comment 4 Jeremy Allison 2015-05-13 16:39:40 UTC
Created attachment 11051 [details]
git-am cherry-pick from master for 4.2.next, 4.1.next.

Cherry-pick applies cleanly to 4.2.next, 4.1.next. Ralph please review !

Thanks,

Jeremy.
Comment 5 Jeremy Allison 2015-05-13 18:18:32 UTC
Re-assigning to Karolin for inclusion in 4.2.next, 4.1.next.
Comment 6 Karolin Seeger 2015-05-20 11:42:01 UTC
Pushed to autobuild-v4-[1|2]-test.
Comment 7 Karolin Seeger 2015-05-21 08:10:12 UTC
(In reply to Karolin Seeger from comment #6)
Pushed to both brnches.
Closing out bug report.

Thanks!