In the xid to SID mapping function idmap_rid uses the trusted domain list to get the SID for the mapping domain. But the idmap child may lack trusted domains in the case when before trusted domains enumeration finished a winbindd idmapping request came in that triggered the idmap child fork. When it forks, the idmap child inherits the trusted domain list of the parent which is not yet complete. Even after the parent finishes trusted domain enumeration, xid2sid idmapping requets will continue to fail, so a transient error becomes a permanent one. A successful authentication otoh will prime the idmap caches, so xid2sid will work as long as the cache remains valid. But obviously after flushing the cache or just cache expiration the idmapping will fail again. The fix is to pass the domain sid as an additional argument to the idmap xid2sid mapping functions. To get the sid, we call lsalookupnames on the domain name of all domains in the mapping request. Have patch, need bugnumber.
Created attachment 13679 [details] Patch for 4.6 and 4.7 cherry-picked from master
Comment on attachment 13679 [details] Patch for 4.6 and 4.7 cherry-picked from master Can someone please review the backports? Thansk!
Karolin, please add the patchset to 4.6 and 4.7. Thanks!
(In reply to Andreas Schneider from comment #3) Pushed to autobuild-v4-{7,6}-test.
Pushed to both branches. Closing out bug report. Thanks!