winbind on PDC for trusted domains

Andrew Bartlett abartlet at samba.org
Sat Jun 28 10:04:34 GMT 2003 

On Sat, 2003-06-28 at 18:42, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 27 Jun 2003, Andrew Bartlett wrote:
> 
> > On Thu, 2003-06-26 at 19:57, Volker Lendecke wrote:
> > > On Thu, Jun 26, 2003 at 11:55:24AM +0200, Volker Lendecke wrote:
> > > > As winbindd has considerably changed lately, I had to tweak my little
> > > > patch to make it work on a PDC a bit. Here is my latest version.
> > > 
> > > Ah, just that I'm not misunderstood:
> > > 
> > > This is completely work in progress.
> > 
> > And this patch is worse...
> > 
> > The attached patch attempts to call the auth subsystem from inside
> > winbind, to prevent it from looping back to smbd (which will lock on
> > contacting winbind).
> 
> Can I suggest that we just disable winbindd lookups for users that 
> don't have the winbind separator in the name.  I think you guysa re making 
> this too complicated.  I really don't think winbindd needs to be digging 
> around in local accounts.  That really makes things messy from 
> a code maintainance point of view.

We are already heading for this - winbind has a passdb backend already
(not operational), and it is intended that winbind should provide these
services for direct NT migrations.

(Ie, you suck down an NT PDC into passdb, and winbind handles the rest).

I agree that it seems to be feature creep - if we really do feel that
way, then creating a seperate 'samba-authd' might be appropriate. 
However, given the circumstances I think it's suitable.

> The patch at http://samba.org/~jerry/winbind_on_pdc_v1.patch
> works with the minor detail that I still have to code up the trustdomain
> and winbind auth methods to produce a SAM_ACCOUNT.  This patch has been 
> tested a fair amount.  I know basic SMB connection works.

Avoiding winbind calls in smbd is a loosing game - it's much easier to
control what winbind contacts.  Too many things call nsswitch - and for
'winbind use default domain' it's not possible to tell at all.

> Also note that there is a server mutex deadlock in the cvs code right
> when using "auth methods = guest sam trustdomain" and trying to run
> winbindd.  We should really only use "guest sam winbind" if winbindd is 
> running and leave the trustdomain auth method for situations where the
> usernames already match.

I would suggest an alternative approach, for the following reasons:

 - smbd is unsuitable for contacting trusted domains: 

  - It cannot cache connections
    - For applications like Squid (even on a domain member) we can get a
*lot* of authentication requests.  Creating a new connection for each
authentication will hit us hard.
  - It cannot use the winbind negative connection cache
  - It requires yet another item in the chain for trusted 

I would like to see the trustdomain auth module die.  We have seen the
problems that the 'ntdomain' module has, and the caching of connections
via winbind significantly enhances performance.  

Winbindd already contacts each trusted DC for LSA, SAMR etc - I don't
see an issue contacting it for the NETLOGON pipe too.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030628/ba328310/attachment.bin

More information about the samba-technical mailing list