Improve performance of winbind idmap_ad backend

resolves: RHEL-20473
2024-04-29 18:28:03 +02:00 · 2024-04-29 18:28:03 +02:00 · 9b064c2063
commit 9b064c2063
parent d9cb8359ad
2 changed files with 235 additions and 6 deletions
--- a/ad_lookup_groupmem.patch
+++ b/ad_lookup_groupmem.patch
@ -0,0 +1,230 @@
+From 2b478bafd808218d3471fd5b1c9dc7d8e528cdb0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
+Date: Wed, 13 Mar 2024 13:55:41 +0100
+Subject: [PATCH 1/4] docs-xml: Add parameter all_groupmem to idmap_ad
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
+
+Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit a485d9de2f2d6a9815dcac6addb988a8987e111c)
+---
+ docs-xml/manpages/idmap_ad.8.xml | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml
+index 32df8d066c2..c7fcc65d763 100644
+--- a/docs-xml/manpages/idmap_ad.8.xml
+++ b/docs-xml/manpages/idmap_ad.8.xml
+@@ -105,6 +105,16 @@
+ 		</listitem>
+ 		</varlistentry>
+ 		<varlistentry>
+		<term>all_groupmem = yes/no</term>
+		<listitem><para>
+		  If set to <parameter>yes</parameter> winbind will retrieve all
+		  group members for getgrnam(3), getgrgid(3) and getgrent(3) calls,
+		  including those with missing uidNumber.
+		</para>
+		<para>Default: no</para>
+		</listitem>
+		</varlistentry>
+		<varlistentry>
+ 		<term>deny ous</term>
+ 		<listitem><para>This parameter is a list of OUs from
+ 		which objects will not be mapped via the ad idmap
+-- 
+2.41.0
+
+
+From 2259b59220b625cd682a3d22024ab442a56ecc3a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
+Date: Tue, 12 Mar 2024 13:20:24 +0100
+Subject: [PATCH 2/4] s3:winbindd: Improve performance of lookup_groupmem() in
+ idmap_ad
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The LDAP query of lookup_groupmem() returns all group members from AD
+even those with missing uidNumber.  Such group members are useless in
+UNIX environment for idmap_ad backend since there is no uid mapping.
+
+'test_user' is member of group "Domanin Users" with 200K members,
+only 20K members have set uidNumber.
+
+Without this fix:
+
+$ time id test_user
+
+real    1m5.946s
+user    0m0.019s
+sys     0m0.012s
+
+With this fix:
+
+$ time id test_user
+
+real    0m3.544s
+user    0m0.004s
+sys     0m0.007s
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
+
+Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 5d475d26a3d545f04791a04e85a06b8b192e3fcf)
+---
+ source3/winbindd/winbindd_ads.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index 7e572e5d41f..7d6324033ea 100644
+--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
+@@ -1039,7 +1039,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
+ }
+ 
+ static NTSTATUS add_primary_group_members(
+-	ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid,
+	ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, const char *domname,
+ 	char ***all_members, size_t *num_all_members)
+ {
+ 	char *filter;
+@@ -1051,10 +1051,13 @@ static NTSTATUS add_primary_group_members(
+ 	char **members;
+ 	size_t num_members;
+ 	ads_control args;
+	bool all_groupmem = idmap_config_bool(domname, "all_groupmem", false);
+ 
+ 	filter = talloc_asprintf(
+-		mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))",
+-		(unsigned)rid);
+		mem_ctx,
+		"(&(objectCategory=user)(primaryGroupID=%u)%s)",
+		(unsigned)rid,
+		all_groupmem ? "" : "(uidNumber=*)(!(uidNumber=0))");
+ 	if (filter == NULL) {
+ 		goto done;
+ 	}
+@@ -1206,7 +1209,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
+ 
+ 	DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
+ 
+-	status = add_primary_group_members(ads, mem_ctx, rid,
+	status = add_primary_group_members(ads, mem_ctx, rid, domain->name,
+ 					   &members, &num_members);
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		DEBUG(10, ("%s: add_primary_group_members failed: %s\n",
+-- 
+2.41.0
+
+
+From 84b6ef6a95d821e44462105250ce50d124a62150 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
+Date: Mon, 25 Mar 2024 22:38:18 +0100
+Subject: [PATCH 3/4] selftest: Add "winbind expand groups = 1" to
+ setup_ad_member_idmap_ad
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
+
+Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a)
+---
+ selftest/target/Samba3.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index bbce55ea508..cf40633d127 100755
+--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
+@@ -1420,6 +1420,7 @@ sub setup_ad_member_idmap_ad
+ 	idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999
+ 	gensec_gssapi:requested_life_time = 5
+ 	winbind scan trusted domains = yes
+	winbind expand groups = 1
+ ";
+ 
+ 	my $ret = $self->provision(
+-- 
+2.41.0
+
+
+From 550c6218e83468874a6a11295a7b08b148d1295a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
+Date: Thu, 14 Mar 2024 15:24:21 +0100
+Subject: [PATCH 4/4] tests: Add a test for "all_groups=no" to test_idmap_ad.sh
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
+
+Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
+Autobuild-Date(master): Tue Apr  2 13:25:39 UTC 2024 on atb-devel-224
+
+(cherry picked from commit f8b72aa1f72881989990fabc9f4888968bb81967)
+---
+ nsswitch/tests/test_idmap_ad.sh | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh
+index 7ae112ada71..1d4bd395ba9 100755
+--- a/nsswitch/tests/test_idmap_ad.sh
+++ b/nsswitch/tests/test_idmap_ad.sh
+@@ -94,6 +94,14 @@ gidNumber: 2000001
+ unixHomeDirectory: /home/forbidden
+ loginShell: /bin/tcsh
+ gecos: User in forbidden OU
+
+dn: CN=no_posix_id,CN=Users,$BASE_DN
+changetype: add
+objectClass: user
+samaccountName: no_posix_id
+unixHomeDirectory: /home/no_posix_id
+loginShell: /bin/sh
+gecos: User without uidNumber and gidNumber
+ EOF
+ 
+ #
+@@ -171,6 +179,17 @@ then
+ 	failed=$(($failed + 1))
+ fi
+ 
+#
+# Test 6: Make sure that with the default "all_groups=no"
+# the group "domain users" will not show user "no_posix_id"
+# but will show "SAMBA2008R2/administrator"
+#
+
+dom_users="$DOMAIN/domain users"  # Extra step to make sure that all is one word
+out="$($wbinfo --group-info "$dom_users")"
+testit_grep_count "no_posix_id1" "no_posix_id" 0 echo "$out" || failed=$(expr $failed + 1)
+testit_grep "no_posix_id2" "SAMBA2008R2/administrator" echo "$out" || failed=$(expr $failed + 1)
+
+ #
+ # Trusted domain test 1: Test uid of Administrator, should be 2500000
+ #
+@@ -241,6 +260,9 @@ gidNumber: 2000002
+ dn: cn=forbidden,ou=sub,$BASE_DN
+ changetype: delete
+ 
+dn: CN=no_posix_id,CN=Users,$BASE_DN
+changetype: delete
+
+ dn: ou=sub,$BASE_DN
+ changetype: delete
+ EOF
+-- 
+2.41.0
+
--- a/samba.spec
+++ b/samba.spec
@ -147,7 +147,7 @@
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")

 %global samba_version 4.20.0
-%global baserelease 102
+%global baserelease 103
 # This should be rc1 or %%nil
 %global pre_release %nil

@ -238,10 +238,7 @@ Source18:       samba-winbind-systemd-sysusers.conf
 Source201:      README.downgrade
 Source202:      samba.abignore

-# Backport bug fixes to https://gitlab.com/samba-redhat/samba/-/tree/v4-20-redhat
-# This will give us CI and makes it easy to generate patchsets.
-#
-# Generate the patchset using: git format-patch -l1 --stdout -N > samba-4.20-redhat.patch
+Patch0:         ad_lookup_groupmem.patch

 Requires(pre): %{name}-common = %{samba_depver}
 Requires: %{name}-common = %{samba_depver}
@ -4591,9 +4588,11 @@ fi
 %endif

 %changelog
+* Mon Apr 29 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.20.0-103
+- resolves: RHEL-20473 - Improve performance of winbind idmap_ad backend
+
 * Mon Apr 29 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.20.0-102
 - resolves: RHEL-2109  - Support Certificate Auto Enrollment in Samba
- resolves: RHEL-20473 - Improve performance of winbind idmap_ad backend
 - resolves: RHEL-22157 - Fix root cert import for samba-gpupdate

 * Fri Apr 26 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.20.0-101