On Fri, 2013-06-21 at 07:23 +0000, philippe.simo...@swisscom.com wrote:
> Hi Andrew,
>
> sorry (my English...) I was not clear. I tried to say that the patch does not
> change anything for me,
> the crash is still here.
Which (named) patch did you try?
I've attached both patches which I proposed. Each attempts to solve the
problem in a different way. Please try each of them, and tell me if you
still get the crash.
Thanks,
Andrew Bartlett
> best regards
>
> Philippe
>
>
> > -----Original Message-----
> > From: Andrew Bartlett [mailto:abart...@samba.org]
> > Sent: Friday, June 21, 2013 9:18 AM
> > To: Simonet Philippe, ITS-OUS-OP-IFM-NW-IPE
> > Cc: samba-techni...@samba.org; sa...@samba.org;
> > qoole.sa...@lillimoth.com
> > Subject: Re: [PATCH] Workaround very slow nss_winbind, fix crash on the AD
> > DC (particularly for backups)
> >
> > On Fri, 2013-06-21 at 05:58 +0000, philippe.simo...@swisscom.com wrote:
> > > Hi Andrew,
> > >
> > > many thanks for you patch,
> > > i tested it on 2 different systems but without success (the crash is
> > > always
> > happening).
> > >
> > > before applying the patch, I had a strange problem : I couldn't
> > > reproduce the problem (with wbinfo --uid-info 3000000) on one of the
> > > machine. no chance even if I reinstall, re-provision, ...). I finally
> > > reboot the machine and after the reboot the crash was reproduceable
> > > again (...)
> >
> > Thank you for finally getting back to me on this. After seeing it once, I
> > was
> > also unable to reproduce the crash, and so was patching blind.
> > This remains illusive.
> >
> > Does this alternative patch help?
> >
> > > on both machines, what I've done :
> > > (...untar...)
> > > cd samba-4.0.6
> > > patch -p1 < 0001-s4-winbind-Add-special-case-for-BUILTIN-domain.patch
> > > ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
> > > --enable-fhs make make install rm /etc/samba/smb.conf samba-tool
> > > domain provision --dns-backend=BIND9_FLATFILE --server-role=dc
> > > --realm TEST.CH --domain TEST --adminpass=Pa$$w0rd samba -i -M single
> > >
> > > and ->>> wbinfo --uid-info 3000000
> > >
> > > I get :
> > > ---------------------
> > > samba version 4.0.6 started.
> > > Copyright Andrew Tridgell and the Samba Team 1992-2012
> > > samba: using 'single' process model
> > > Attempting to autogenerate TLS self-signed keys for https for hostname
> > 'WZ3.test3.ch'
> > > TLS self-signed keys generated OK
> > >
> > ==========================================================
> > =====
> > > INTERNAL ERROR: Signal 11 in pid 4844 (4.0.6) Please read the
> > > Trouble-Shooting section of the Samba HOWTO
> > >
> > ==========================================================
> > =====
> > > PANIC: internal error
> > > Aborted
> > > ---------------------
> > >
> > > Best regards
> > >
> > > Philippe
> >
> > Thanks,
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett http://samba.org/~abartlet/
> > Authentication Developer, Samba Team http://samba.org
>
>
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From 213dd8c754e381fcca0bc692422189fb0a9fa9d6 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abart...@samba.org>
Date: Sat, 15 Jun 2013 19:54:14 +1000
Subject: [PATCH] gensec: work around nested event loops by ensuring that the
gensec_security remains valid
Some nested event loops cause the main context varible here to become
deallocated. This ensures that cannot happen until the end of the
call.
Andrew Bartlett
---
auth/gensec/gensec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index ea62861..ad6a19d 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -216,9 +216,11 @@ _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_
const DATA_BLOB in, DATA_BLOB *out)
{
NTSTATUS status;
-
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
+ talloc_reference(mem_ctx, gensec_security);
status = gensec_security->ops->update(gensec_security, out_mem_ctx,
ev, in, out);
+ talloc_free(mem_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
--
1.7.11.7
>From 4497f21ec6790d2c99aaafde4a7ceae026b3aacd Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abart...@samba.org>
Date: Sat, 15 Jun 2013 23:01:44 +1000
Subject: [PATCH 2/2] s4-winbind: Add special case for BUILTIN domain
This should mean that lookups for the BUILTIN domain cause less trouble
then they have in the past, because they will no longer go via the
trusted domain handler.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abart...@samba.org>
---
source4/winbind/wb_dom_info.c | 5 +++--
source4/winbind/wb_init_domain.c | 38 ++++++++++++++++++++------------------
source4/winbind/wb_sid2domain.c | 14 ++++++++++++++
3 files changed, 37 insertions(+), 20 deletions(-)
diff --git a/source4/winbind/wb_dom_info.c b/source4/winbind/wb_dom_info.c
index e2b5def..8c08c73 100644
--- a/source4/winbind/wb_dom_info.c
+++ b/source4/winbind/wb_dom_info.c
@@ -67,9 +67,10 @@ struct composite_context *wb_get_dom_info_send(TALLOC_CTX *mem_ctx,
state->info->sid = dom_sid_dup(state->info, sid);
if (state->info->sid == NULL) goto failed;
- if ((lpcfg_server_role(service->task->lp_ctx) != ROLE_DOMAIN_MEMBER) &&
+ if (dom_sid_equal(sid, &global_sid_Builtin) ||
+ ((lpcfg_server_role(service->task->lp_ctx) != ROLE_DOMAIN_MEMBER) &&
dom_sid_equal(sid, service->primary_sid) &&
- service->sec_channel_type != SEC_CHAN_RODC) {
+ service->sec_channel_type != SEC_CHAN_RODC)) {
struct interface *ifaces = NULL;
load_interface_list(state, service->task->lp_ctx, &ifaces);
diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c
index 70dbaa9..db5eb1d 100644
--- a/source4/winbind/wb_init_domain.c
+++ b/source4/winbind/wb_init_domain.c
@@ -369,24 +369,26 @@ static void init_domain_recv_queryinfo(struct tevent_req *subreq)
state->ctx->status = state->queryinfo.out.result;
if (!composite_is_ok(state->ctx)) return;
- dominfo = &(*state->queryinfo.out.info)->account_domain;
-
- if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
- DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
- state->domain->info->name,
- dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
- dominfo->name.string));
- composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
- return;
- }
-
- if (!dom_sid_equal(state->domain->info->sid, dominfo->sid)) {
- DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
- dom_sid_string(state, state->domain->info->sid),
- dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
- dom_sid_string(state, dominfo->sid)));
- composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
- return;
+ if (!dom_sid_equal(state->domain->info->sid, &global_sid_Builtin)) {
+ dominfo = &(*state->queryinfo.out.info)->account_domain;
+
+ if (strcasecmp(state->domain->info->name, dominfo->name.string) != 0) {
+ DEBUG(2, ("Expected domain name %s, DC %s said %s\n",
+ state->domain->info->name,
+ dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
+ dominfo->name.string));
+ composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
+ return;
+ }
+
+ if (!dom_sid_equal(state->domain->info->sid, dominfo->sid)) {
+ DEBUG(2, ("Expected domain sid %s, DC %s said %s\n",
+ dom_sid_string(state, state->domain->info->sid),
+ dcerpc_server_name(state->domain->libnet_ctx->lsa.pipe),
+ dom_sid_string(state, dominfo->sid)));
+ composite_error(state->ctx, NT_STATUS_INVALID_DOMAIN_STATE);
+ return;
+ }
}
state->domain->samr_binding = init_domain_binding(state, &ndr_table_samr);
diff --git a/source4/winbind/wb_sid2domain.c b/source4/winbind/wb_sid2domain.c
index 637fe1d..172a6d0 100644
--- a/source4/winbind/wb_sid2domain.c
+++ b/source4/winbind/wb_sid2domain.c
@@ -98,6 +98,20 @@ static struct tevent_req *_wb_sid2domain_send(TALLOC_CTX *mem_ctx,
return req;
}
+ if (dom_sid_equal(&global_sid_Builtin, sid) ||
+ dom_sid_in_domain(&global_sid_Builtin, sid)) {
+ ctx = wb_get_dom_info_send(state, service,
+ "BUILTIN", NULL,
+ &global_sid_Builtin);
+ if (tevent_req_nomem(ctx, req)) {
+ return tevent_req_post(req, ev);
+ }
+ ctx->async.fn = wb_sid2domain_recv_dom_info;
+ ctx->async.private_data = req;
+
+ return req;
+ }
+
ctx = wb_cmd_lookupsid_send(state, service, &state->sid);
if (tevent_req_nomem(ctx, req)) {
return tevent_req_post(req, ev);
--
1.7.11.7
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
