[proof of concept] libwbclient.so

simo idra at samba.org
Tue Sep 4 16:36:57 GMT 2007 

On Tue, 2007-09-04 at 11:21 -0500, Gerald (Jerry) Carter wrote:
> 
> > Why do we ever need to understand SIDs on the pam side anyway?
> 
> Many things on the Unix side need to understand SID and to

I said PAM and not generically UNIX for a reason.

> be able to convert them to uids/gids.  Any cifs file system client
> needs to be able to do this.  Any GUI app displaying security
> descriptors on a remote share need to be able to do.  Even smbd
> needs to be able to do this. A login manager that wants to display
> a list of available domains (like a Windows client would do)
> should be able to make an API call not system("wbinfo -m").

Sure I am not at all saying we don't need to map SIDs, I wrote half of
the idmap backend, you know it and I know it.

> You and I have two main points of contention.  You want a PAM/NSS
> specific API and more generic Winbind API.  IMO that is unnecessary
> and a bad design.  Because of your design, you see pam_winbind
> using on API and smbd using another.  My point is that there is
> only one API provided by the winbind client library.  This single
> library is used by pam_winbind and smbd.

Ok I guess this is the point where we do not agree.

> As long as you continue to believe that there should be two
> or three different libraries, then of course you will never
> see why pam_winbind would need to be able deal with SIDs.

Exactly.

> I believe that you are simply confusing policy and mechanism. 

I disagree here.
The whole pam_winbindd/winbindd are beyond the PAM interface (the
mechanism) anyway. You can decide to put the policy in the library PAM
loads or you can put it into winbindd. There is really no much
difference from what I can see form the mechanism POV.

There is instead a difference on performance and control. If you put the
decision in winbindd you can have less round-trips and less information
going around, you can also have more control in winbindd as talking with
a daemon is much easier then talking to config files/libraries
(delegation, automation, etc...).

Also, after experience with other ugly pam/nss modules, I am a firm
believer that the less you put in the user's process space the better.

Simo.


-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org

More information about the samba-technical mailing list