View Issue Details

IDProjectCategoryView StatusLast Update
0015795CentOS-7sambapublic2019-03-07 23:14
Status newResolutionopen 
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0015795: winbind hangs when asked for use with empty domain
DescriptionSince update to CentOS7.6 and so update of samba from 4.7 to 4.8 we see a 100% reproducable hang of winbind causing a looong response times (>60secs) of ssh/id and any uid/gid resolving call.

When ask for details about an unkonw local account (e.g. not in passwd or ldap via sssd) it will take 60+ seconds before the call returns with an error. An immediatly return would have been expacted like with former samba versions (< 4.8 til CentOS7.5).

A workaround to make normal ssh/id work without hang is to increase "winbind max domain connections " from its default (1) or set "winbind use default domain" to Yes on systems where possible.
Steps To ReproduceEnsure "winbind use default domain" is set to it's default "No"

Run a wbinfo/id asking for an unknown account not adding a domain and it will take 60+seconds until it returns with an error.

Unknown user: (60+secs, windbind call with empty domain)

# time wbinfo -i TrySomethingNotLocalOrInAD
failed to call wbcGetpwnam: WBC_ERR_WINBIND_NOT_AVAILABLE
Could not get info for user TrySomethingNotLocalOrInAD

real 1m0.786s
user 0m0.009s
sys 0m0.010s
# time id TrySomethingNotLocalOrInAD
id: TrySomethingNotLocalOrInAD: Einen solchen Benutzer gibt es nicht

real 1m0.445s
user 0m0.004s
sys 0m0.009s

Known local user (e.g. root): (~0.03s)

# time id root
uid=0(root) gid=0(root) Gruppen=0(root)

real 0m0.032s
user 0m0.000s
sys 0m0.018s
# time wbinfo -i root
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user root

real 0m0.029s
user 0m0.010s
sys 0m0.011s

Additional Information# rpm -qa|grep samba-4
# testparm -v 2>/dev/null|egrep "(max domain connections|default domain)"

        winbind max domain connections = 1
        winbind use default domain = No
TagsNo tags attached.




2019-02-21 12:35

reporter   ~0033872

Sended a bug report to samba team with the attached patch that will fix the issue for samba 4.8 and upwards.
It re-introduce the behavior of the function parse_domain_user from within source3/winbindd/winbindd_util.c as with samba 4.7 and earlier to return a false in case user has no domain part and winbind use default domain is set to no.

samba-4.8.9-fix_winbind_empty_domain.patch (459 bytes)
diff -Naur samba-4.8.9/source3/winbindd/winbindd_util.c samba-4.8.9-fix_winbind_empty_domain/source3/winbindd/winbindd_util.c
--- samba-4.8.9/source3/winbindd/winbindd_util.c	2018-12-13 04:08:40.000000000 -0500
+++ samba-4.8.9-fix_winbind_empty_domain/source3/winbindd/winbindd_util.c	2019-02-21 06:30:52.358040157 -0500
@@ -1604,6 +1604,7 @@
 			fstrcpy(namespace, domain);
 		} else {
 			fstrcpy(namespace, lp_netbios_name());
+			return false;


2019-02-21 12:41

reporter   ~0033873

The patch also works fine, when added to spec of samba-4.8.3-4.el7.src.rpm after samba-4.8.3-fix_winbind_getpwnam_local_user.patch with this line:
Patch5: samba-4.8.9-fix_winbind_empty_domain.patch


2019-02-21 13:23

developer   ~0033874

@aspannag, please post the link to the samba bug report.
Also, after it is included in the master tree, you should file a bug in so it can be tracked.
Once it is commited to the samba tree, we could rebuild with the patch for the fasttrack repo


2019-02-22 22:04

reporter   ~0033890

Just adding a more preferred solution, but still in conversation about the need of this fix with samba team.
Also removing samba-4.8.3-fix_winbind_getpwnam_local_user.patch (my patch relays on) fixes the issue, but won't go this way as i would agree with it's intention to make local accounts preferred over AD.

samba-4.8.9-fix_winbind_empty_domain_2.patch (473 bytes)
diff -Naur samba-4.8.9/source3/winbindd/winbindd_util.c samba-4.8.9-fix_winbind_empty_domain/source3/winbindd/winbindd_util.c
--- samba-4.8.9/source3/winbindd/winbindd_util.c	2019-02-22 11:26:48.873478679 -0500
+++ samba-4.8.9-fix_winbind_empty_domain/source3/winbindd/winbindd_util.c	2019-02-22 11:25:57.075130007 -0500
@@ -1604,6 +1604,7 @@
 			fstrcpy(namespace, domain);
 		} else {
 			fstrcpy(namespace, lp_netbios_name());
+			fstrcpy(domain, namespace);


2019-02-28 18:01

reporter   ~0033918

Created bug 13815 with the samba team


2019-03-07 23:14

reporter   ~0033962

Final patch provided and created a merge request to get into main branch.

Issue History

Date Modified Username Field Change
2019-02-07 12:47 aspannag New Issue
2019-02-21 12:35 aspannag File Added: samba-4.8.9-fix_winbind_empty_domain.patch
2019-02-21 12:35 aspannag Note Added: 0033872
2019-02-21 12:41 aspannag Note Added: 0033873
2019-02-21 13:23 pgreco Note Added: 0033874
2019-02-22 22:04 aspannag File Added: samba-4.8.9-fix_winbind_empty_domain_2.patch
2019-02-22 22:04 aspannag Note Added: 0033890
2019-02-28 18:01 aspannag Note Added: 0033918
2019-03-07 23:14 aspannag Note Added: 0033962