[Pkg-samba-maint] Bug#553923: winbind: idmap_rid cache becomes corrupted when mixing group and user queries

Castan Eric eric.castan at elca.ch
Mon Nov 2 09:27:28 UTC 2009 

Package: winbind
Version: 2:3.2.5-4lenny7
Severity: important

I have investigated a strange issue on a system not allowing users to login.
It appeared that the winbind cache eventually got corrupt when mixing group queries and user queries.

I am using the idmap_rid allocator.

If one queries with "wbinfo -G" for a group whose id is indeed a user id, that user won't exist any more in winbind

Example on a sane system:

eca at pp2tnce10c:~$ wbinfo -i 'PREPROD\jcb'
jcb:*:11129:10513:XXXXXXXXXXXXXXX YYYYYY:/home/PREPROD+jcb:/bin/bash


How to get a corrupt system (different from the first one, though)

## Step 1 : Try to group-resolve a user id
eca at pp2tnsa10c:~$ wbinfo -G 11129
S-1-5-21-4162644616-3733566000-1282571631-1129

## Step 2 : You can check that jcb's account is locked because his SID is now associated to a group account in winbind cache
eca at pp2tnsa10c:~$ id jcb
id: jcb: No such user
eca at pp2tnsa10c:~$ wbinfo -s S-1-5-21-4162644616-3733566000-1282571631-1129
PREPROD\jcb 1
eca at pp2tnsa10c:~$ wbinfo -n 'PREPROD\jcb'
S-1-5-21-4162644616-3733566000-1282571631-1129 User (1)
eca at pp2tnsa10c:~$ wbinfo -i 'PREPROD\jcb'
Could not get info for user PREPROD\jcb
##############

For some reason, this occurs without intent on one of my systems.
If you want the locked account to be able to log in again, you have to wait for the positive ttl to expire, or to manually clean up winbind caches.

I attach my smb.conf so that one can easily reproduce

eca at pp2tnsa10c:~$ testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
[global]
        workgroup = PREPROD
        realm = PREPROD.COMPANY.COM
        security = ADS
        restrict anonymous = 2
        client NTLMv2 auth = Yes
        use kerberos keytab = Yes
        idmap domains = PREPROD, CORP, OTHERTRUSTED
        template homedir = /home/%D+%U
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        idmap config OTHERTRUSTED:range = 70000 - 79999
        idmap config OTHERTRUSTED:backend = tdb
        idmap config CORP:range = 50000 - 69999
        idmap config CORP:backend = rid
        idmap config PREPROD:range = 10000 - 49999
        idmap config PREPROD:backend = rid


-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (800, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages winbind depends on:
ii  adduser         3.110                    add and remove users and groups
ii  libc6           2.7-18                   GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libkrb53        1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii  libldap-2.4-2   2.4.11-1                 OpenLDAP libraries
ii  libpam0g        1.0.1-5+lenny1           Pluggable Authentication Modules l
ii  libpopt0        1.14-4                   lib for parsing cmdline parameters
ii  libtalloc1      1.2.0~git20080616-1      hierarchical pool based memory all
ii  libwbclient0    2:3.2.5-4lenny7          client library for interfacing wit
ii  lsb-base        3.2-20                   Linux Standard Base 3.2 init scrip
ii  samba-common    2:3.2.5-4lenny7          Samba common files used by both th

winbind recommends no packages.

winbind suggests no packages.

-- no debconf information

More information about the Pkg-samba-maint mailing list