[Pkg-samba-maint] Bug#613624: Bug#613624: winbind: Winbind leaks gids with idmap ldap backend

Christian PERRIER bubulle at debian.org
Wed Feb 16 17:47:05 UTC 2011

severity 613624 important
forwarded 613624 https://bugzilla.samba.org/show_bug.cgi?id=7777

Quoting Kevin Shanahan (kmshanah at ucwb.org.au):
> Package: winbind
> Version: 3.5.6~dfsg-3
> Severity: normal
> Winbind has been leaking gids from the unix id pool in our idmap
> backend. This has been happening because of some inconsistency in the
> lookups of local sids were done for member servers. The sequence of
> operations was like this:
> - Try to lookup the sid-to-gid mapping for a local sid
> - Lookup fails (did not look in the ldap backend)
> - Try to allocate a new gid for the sid, using the ldap backend
>   - Next available gid field in ldap is incremented
> - Try to insert the new sid-to-gid mapping in ldap
>   - First time ever, this will succeed
>   - On subsequent attempts, this fails because the sid already is
>     present, however the next available gid is incremented every time.
> As I understand it now, lookups are supposed to fail for these local
> sids and no insert should happen. The fix for this is available here:
>   https://bugzilla.samba.org/show_bug.cgi?id=7777
> I have applied the two patches attached to that bug to our local
> winbind packages and the issue is fixed. The patches have already been
> approved for 3.5.7 upstream. Any chance this fix can be added in a
> stable update for squeeze?

"polluting" the idmap backend is imho an important issue, hence
upgrading this bug's severity.

As already answered in another BR, I'mawaiting for the release of
3.5.7 in order to try pushing that entire release to squeeze. That
would be a precedent and would assume I can explain each and every
upstream change to our release managers. That's not certain to happen.

However, would it be impossible, then I would cherrypick the fix for
this bug and propose a stable update, just like we did a few times for

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20110216/ebf48c2a/attachment.pgp>

More information about the Pkg-samba-maint mailing list