samba - Jun 2013 - [PATCH] Workaround very slow nss_winbind, fix crash on the AD DC (particularly for backups)

This patch attempts to address an issue some have reported where our
nss_winbind is even slower than it's simple non-caching implementation
needs to be.

I think this comes from us not handling the BUILTIN domain properly, and
so we constantly attempt to contact the DC, and then fail an internal
validation step, throwing away that connection.  

I think this is also the cause of crashes folks have seen.

Can I get some confirmation that this helps, so I can merge this into
master (and then 4.0.x)?

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-winbind-Add-special-case-for-BUILTIN-domain.patch
Type: text/x-patch
Size: 4347 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20130618/2e83b773/attachment.bin>

On Tue, Jun 18, 2013 at 12:49:37PM +1000, Andrew Bartlett
wrote:
> This patch attempts to address an issue some have reported where our
> nss_winbind is even slower than it's simple non-caching implementation
> needs to be.
> 
> I think this comes from us not handling the BUILTIN domain properly, and
> so we constantly attempt to contact the DC, and then fail an internal
> validation step, throwing away that connection.  
> 
> I think this is also the cause of crashes folks have seen.
> 
> Can I get some confirmation that this helps, so I can merge this into
> master (and then 4.0.x)?
If you add the Signed-off-by-line, consider this reviewed-by
me.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

Hi Andrew,

many thanks for you patch, 
i tested it on 2 different systems but without success (the crash is always
happening).

before applying the patch, I had a strange problem :  I couldn't reproduce
the problem (with wbinfo --uid-info 3000000)
on one of the machine. no chance even if I reinstall, re-provision, ...). I
finally reboot the machine and after the reboot the crash
was reproduceable again (...)


on both machines, what I've done : 
(...untar...)
cd samba-4.0.6
patch -p1 < 0001-s4-winbind-Add-special-case-for-BUILTIN-domain.patch
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-fhs
make
make install
rm /etc/samba/smb.conf
samba-tool domain provision --dns-backend=BIND9_FLATFILE --server-role=dc 
--realm TEST.CH  --domain TEST --adminpass=Pa$$w0rd
samba -i -M single

and ->>>  wbinfo --uid-info 3000000

I get : 
---------------------
samba version 4.0.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
samba: using 'single' process model
Attempting to autogenerate TLS self-signed keys for https for hostname
'WZ3.test3.ch'
TLS self-signed keys generated OK
==============================================================INTERNAL ERROR:
Signal 11 in pid 4844 (4.0.6)
Please read the Trouble-Shooting section of the Samba HOWTO
==============================================================PANIC: internal
error
Aborted
---------------------

Best regards

Philippe
> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Tuesday, June 18, 2013 4:50 AM
> To: Samba Technical
> Cc: samba at samba.org; Alex Matthews; Simonet Philippe, ITS-OUS-OP-IFM-
> NW-IPE
> Subject: [PATCH] Workaround very slow nss_winbind, fix crash on the AD DC
> (particularly for backups)
> 
> This patch attempts to address an issue some have reported where our
> nss_winbind is even slower than it's simple non-caching implementation
> needs to be.
> 
> I think this comes from us not handling the BUILTIN domain properly, and so
> we constantly attempt to contact the DC, and then fail an internal
validation
> step, throwing away that connection.
> 
> I think this is also the cause of crashes folks have seen.
> 
> Can I get some confirmation that this helps, so I can merge this into
master
> (and then 4.0.x)?
> 
> Thanks,
> 
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org