[PATCH] Implement simple means of supporting pam_winbind UPN logins.

Gerald (Jerry) Carter jerry at samba.org
Sun Jul 1 01:20:51 GMT 2007

Hash: SHA1


>> What is your technical objection to the upn->sid->name
>> conversion?  Not "being a fan" is too vague.
> I am not fond of the fact that we can retrieve the SID from
> the client side at all, but I need to elaborate more
> to explain that so let just put this discussion aside
> for now.

You'll be hard pressed to convince me that me2sid is an
unnecessary function since it is critical to the operation
of smbd.

> It depends on the context in which you use pam authentication.
> If you use it only for system/ssh login it is probably ok, while on a
> busy POP/SMTP email server (or apache with pam_auth) with a few
> thousands of users the pam_winbind performances may be much more
> critical.

Perhaps.  Perhaps not.  We would need to see numbers of both
a client implementation and a server implementation.  And you
need to be able to prove that a server with X number of
authentication requests per second works now and does not work
with this patch.  But even then, you can simply disable the
request with a setting in /etc/security/pam_winbind.conf
if necessary.   So for now, this debate point is purely speculative
and no reason to deny functionality.

cheers, jerry
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba-technical mailing list