[Pkg-samba-maint] Bug#613624: winbind: Winbind leaks gids with idmap ldap backend

Kevin Shanahan kmshanah at ucwb.org.au
Wed Feb 16 08:36:50 UTC 2011

Package: winbind
Version: 3.5.6~dfsg-3
Severity: normal

Winbind has been leaking gids from the unix id pool in our idmap
backend. This has been happening because of some inconsistency in the
lookups of local sids were done for member servers. The sequence of
operations was like this:

- Try to lookup the sid-to-gid mapping for a local sid
- Lookup fails (did not look in the ldap backend)
- Try to allocate a new gid for the sid, using the ldap backend
  - Next available gid field in ldap is incremented
- Try to insert the new sid-to-gid mapping in ldap
  - First time ever, this will succeed
  - On subsequent attempts, this fails because the sid already is
    present, however the next available gid is incremented every time.

As I understand it now, lookups are supposed to fail for these local
sids and no insert should happen. The fix for this is available here:


I have applied the two patches attached to that bug to our local
winbind packages and the issue is fixed. The patches have already been
approved for 3.5.7 upstream. Any chance this fix can be added in a
stable update for squeeze?


-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

More information about the Pkg-samba-maint mailing list