winbindd vs. lsarpcd/netlogond

Elrond elrond at samba.org
Thu Jul 13 12:55:33 GMT 2000 

Hi Tim,

I'm thinking about this now and then, and now I'm just
going to write it up.

I'm just seeing, that winbindd is doubling a bunch of
functionality, that from my point of view should be in
lsarpcd or netlogond.

For example: You'vr just added a function to let the
workstation check its trustaccount password. AFAIK this is
a function, that lsarpcd or netlogond is supposed to be
able to do (look below for more info on this).

I think, winbindd should ask any things, that are more a
responsibility of samba-daemons, those daemons, instead of
trying to do the job itself.

I've seen from the cvs-messages, that HEAD is now going
even the opposite direction, in that the samba daemons
(HEAD has all that in one -- smbd -- I know) to ask
winbind.

I thought, the first main purpose of winbind was to provide
nsswitch-services. The next purpose, that was added and
that make sense to me, were pam-support. And one purpose,
that also makes some sense to me is the creation of
something like a SURS-daemon.

All these make quite some sense:

nsswitch and pam provide a way for Unix to live/interact in
an nt-environment and use their "resources".

A surs-daemon also makes some sense, because winbindd
already has to provide some mapping from sids to uid/gid
and vice-versa (also there are some little, but important
details in contrast to the surs, that samba-as-pdc needs,
but that's another story)

But I don't see, that "check the trust-password" is realy
anything that has to do with unix<->nt interaction, it is
just something, that only has to do with nt. The normal
unix-world doesn't need to care about it in any way. So I
think, this stuff should be left to the samba-daemons.


Don't take this offending, I just needed to write this up
somehow.


Okay: I said above, that trust-account-checking is realy
the job of netlogond/lsarpcd:

I know, that samba currently hasn't got this, so I even
don't know, which daemon is supposed to do it. But this
functionality exists.

There's a tool in the ntreskit called netdom.exe, it has
a function to let a remote ntbox check its trustpassword.
So it shouldn't be too hard to run this against some ntbox
and generate a trace. I can't do that easily currently, so
I don't have a trace for it. If someone wants to provide a
netmon-trace, that would be nice. :)


    Elrond

More information about the samba-technical mailing list