6527 – idmap falls back to default config until rescan_trusted_domains succeeds

Bug 6527 - idmap falls back to default config until rescan_trusted_domains succeeds

Summary: idmap falls back to default config until rescan_trusted_domains succeeds

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-07-01 08:59 UTC by Michael Adam
Modified:	2019-02-16 20:38 UTC (History)
CC List:	6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Adam 2009-07-01 08:59:04 UTC

The following applies to 3.2, 3.3, 3.4 and master.

The scenario is this:
samba is member of a domain DOM1.
DOM1 has a trusted domain DOM2.
samba has a configuration section like this:

  idmap config DOM2 : backend = rid (e.g.)
  idmap config DOM2 : range = 100000-200000

and a default idmap config using the tdb backend
with a different range, say 500000-600000.

Now winbindd asks its DC for the list of its trusted
domains to build the internal list of domains.
When this request does not succeed (for what reason ever,
incomplete machine account replication after a join,
network problems, ...) then winbindd will start answering
requests with an incomplete list of domains.

When a sid2uid call is answered for a sid from DOM2,
this will lead to winbindd assigning a UID from the
default config range 500000-600000 to this sid instead
of an ID from the intended range. Winbindd will also
store this mapping in the idmap cache and use it for quite
a while.

The reason is that currently sid2uid works as follows:
first the find_domain_from_sid() is called to look for
the sid in the internal list of domains. This list is
still incomplete and does not contain DOM2, so the sid
is not found to belong to DOM2. Therefore sid2uid
uses the default idmap config.

Comment 1 Michael Adam 2009-07-01 09:05:03 UTC

There are several possible ways around this:

* One could only start serving requests after the DC has successfully been contacted and the list of trusted domains has successfully been retrieved.

* One could also stop building the complete list of domains but add domains as they come along. In the present example of the sid2uid call, sid2uid could try to look the domain part of the sid up with lookup_sids call. If successful, add the trusted domain and proceed with the mapping.

In both cases it would be important to not process these requests when the trusted domains could not be retrieved.

Comment 2 Karolin Seeger 2009-08-12 09:39:32 UTC

Is there a chance to fix that for 3.4.1 (scheduled for August 18)?

Comment 3 Karolin Seeger 2009-09-01 03:40:40 UTC

3.4.1 will be released in 2 days and currently, there is no patch available. So it won't be fixed in 3.4.1. But it would be nice to address this one in 3.4.2.
Any chance, Michael?

Comment 4 Ralph Böhme 2019-02-16 20:38:35 UTC

I remember I fixed this some time ago.