Bug 6899 - implement nss_initgroups_ignoreusers or similar
Summary: implement nss_initgroups_ignoreusers or similar
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P3 enhancement (vote)
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
Depends on:
Reported: 2009-11-17 17:07 UTC by Nick (550-5.1.1 The email account that you tried to reach does not exist)
Modified: 2021-05-23 20:50 UTC (History)
3 users (show)

See Also:

Implementation of winbind initgroups ignoreusers option (2.89 KB, patch)
2009-11-17 19:31 UTC, Nick (550-5.1.1 The email account that you tried to reach does not exist)
no flags Details
Similar patch for 3.4.3 (3.60 KB, patch)
2009-11-19 09:22 UTC, Nick (550-5.1.1 The email account that you tried to reach does not exist)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Nick (550-5.1.1 The email account that you tried to reach does not exist) 2009-11-17 17:07:18 UTC
For local users who definitely are not on the AD domain, winbind shouldn't try to lookup any group memberships.  The reason for this is that winbind can hang for a while on a query causing issues for core system services.

For example if NetworkManager is running and has a dispatcher script which tries to run 'smbcontrol winbind offline', NetworkManager may never get to actually fork the script since name lookups are hanging for local system users (e.g. dbus, root).  So since winbind still things it's online things will continue to hang for even longer.

To speed things up and make them more reliable, winbind should have something like nss_initgroups_ignoreusers for nss_ldap.

I'd be happy to get started on this if someone could give me a pointer to the best place in the code to insert this sort of thing, and a quicky on adding a configuration parameter.  If I don't hear from anyone in a while I'll get started anyway, but it would be nice to have some help :)
Comment 1 Nick (550-5.1.1 The email account that you tried to reach does not exist) 2009-11-17 19:31:40 UTC
Created attachment 4961 [details]
Implementation of winbind initgroups ignoreusers option

This is for 3.3.9 (since that's what I'm working with now), but should hopefully work fine on 3.4.x.  It would be really nice if one of the devs could look over it and push it into testing :)
Comment 2 Michael Adam 2009-11-19 06:58:39 UTC
Hi nick,

I am going to investigate this and also look at your patch.

Comment 3 Nick (550-5.1.1 The email account that you tried to reach does not exist) 2009-11-19 09:22:57 UTC
Created attachment 4966 [details]
Similar patch for 3.4.3

One issue I have is that implementing this option in winbindd_group.c
still causes a hang when winbindd isn't initialized yet.  So it would
be best to be implemented before anything that tries to contact
winbindd, however from what I can tell anything at that level doesn't
have accessibility to the config file to actually read the option.
Therefore in this patch there are actually two items, implementing the
option in winbindd_group.c, and also a hardcoded skipping of "root" in
winbind_nss_linux.c (possibly this should be in a more general place,
but I couldn't find a better place nor a function definition for
_nss_winbind_initgroups_dyn under the other OS implementations).  The
second part is because most core stuff is running as root, and it
should be a safe bet that root isn't a member of any group on the
directory service, and even if it was then it wouldn't matter since
root is the superuser and would have access to everything regardless
of group membership.  However it would still be best to implement the
user skip checking based on the option alone (without hardcoding
"root") at a level before any attempt at calling winbindd is done.
Comment 4 Guenther Deschner 2009-11-27 03:27:58 UTC
Just for the record: we had something like this three years ago already:

Comment 5 Karolin Seeger 2010-03-08 04:51:04 UTC
Raising component.
Comment 6 Dale Dude 2012-02-13 22:17:03 UTC
Can an official release be pushed out for this, please? It would be extremely useful to stop winbind from dealing with specific users groups.
Comment 7 Björn Jacke 2021-05-23 20:50:18 UTC
I don't think that we'll ever implement something like this, this is also why this is not worked on since 12 years. Everybody is urgendtly asked not to use winbind use default domain (or live with the drawbacks).