winbind on PDC for trusted domains

Andrew Bartlett abartlet at samba.org
Sat Jun 28 10:19:27 GMT 2003 

On Sat, 2003-06-28 at 20:03, Andrew Bartlett wrote:
> On Sat, 2003-06-28 at 18:42, Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On 27 Jun 2003, Andrew Bartlett wrote:
> > 
> > > On Thu, 2003-06-26 at 19:57, Volker Lendecke wrote:
> > > > On Thu, Jun 26, 2003 at 11:55:24AM +0200, Volker Lendecke wrote:
> > > > > As winbindd has considerably changed lately, I had to tweak my little
> > > > > patch to make it work on a PDC a bit. Here is my latest version.
> > > > 
> > > > Ah, just that I'm not misunderstood:
> > > > 
> > > > This is completely work in progress.
> > > 
> > > And this patch is worse...
> > > 
> > > The attached patch attempts to call the auth subsystem from inside
> > > winbind, to prevent it from looping back to smbd (which will lock on
> > > contacting winbind).
> > 
> > Can I suggest that we just disable winbindd lookups for users that 
> > don't have the winbind separator in the name.  I think you guysa re making 
> > this too complicated.  I really don't think winbindd needs to be digging 
> > around in local accounts.  That really makes things messy from 
> > a code maintainance point of view.
> 
> We are already heading for this - winbind has a passdb backend already
> (not operational), and it is intended that winbind should provide these
> services for direct NT migrations.
> 
> (Ie, you suck down an NT PDC into passdb, and winbind handles the rest).
> 
> I agree that it seems to be feature creep - if we really do feel that
> way, then creating a seperate 'samba-authd' might be appropriate. 
> However, given the circumstances I think it's suitable.
> 
> > The patch at http://samba.org/~jerry/winbind_on_pdc_v1.patch
> > works with the minor detail that I still have to code up the trustdomain
> > and winbind auth methods to produce a SAM_ACCOUNT.  This patch has been 
> > tested a fair amount.  I know basic SMB connection works.
> 
> Avoiding winbind calls in smbd is a loosing game - it's much easier to
> control what winbind contacts.  Too many things call nsswitch - and for
> 'winbind use default domain' it's not possible to tell at all.

Also, we need to contact winbind for the idmap operations that a
smbd-based login would entail.  

> > Also note that there is a server mutex deadlock in the cvs code right
> > when using "auth methods = guest sam trustdomain" and trying to run
> > winbindd.  We should really only use "guest sam winbind" if winbindd is 
> > running and leave the trustdomain auth method for situations where the
> > usernames already match.
> 
> I would suggest an alternative approach, for the following reasons:
> 
>  - smbd is unsuitable for contacting trusted domains: 
> 
>   - It cannot cache connections
>     - For applications like Squid (even on a domain member) we can get a
> *lot* of authentication requests.  Creating a new connection for each
> authentication will hit us hard.
>   - It cannot use the winbind negative connection cache
>   - It requires yet another item in the chain for trusted 

Talking back to smbd would also entail an extra round of PAM checks.

> I would like to see the trustdomain auth module die.  We have seen the
> problems that the 'ntdomain' module has, and the caching of connections
> via winbind significantly enhances performance.  
> 
> Winbindd already contacts each trusted DC for LSA, SAMR etc - I don't
> see an issue contacting it for the NETLOGON pipe too.

Now that I'm finished uni for the semester, I'll try and get the patch
finished.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030628/eda20877/attachment.bin

More information about the samba-technical mailing list