[GSoC 2007] Improving Samba 4 winbind, a look back.
Kai Blin
kai at samba.org
Wed Sep 19 10:31:10 GMT 2007
Hi folks,
Jerry and Tridge asked for a summary of the summer of code projects that were
done this year, here is mine.
What the project is about
-------------------------
Samba4 contains a basic winbind implementation, but it is still lacking many
features. The goal of my project was to improve Samba4 winbind so that the
nsswitch and pam functionality provided by Samba3's winbindd would be present
in Samba4, too.
Simply copying code over from Samba3 would not do, of course, as the
underlying architecture in Samba4 is different. Also, the goal was to improve
readability of the code, as opposed to the more organically "grown" look of
the Samba3 winbindd code.
In Samba4, there is a library taking care of user/group management called
libnet. Samba4 winbind uses this library extensively.
What was done so far
--------------------
* Porting nsstest to Samba4
nsstest is a binary that test basic functionality of a nsswitch library.
Once all the tests in nsstest work for libnss_winbind from Samba4, the
winbind implementation is useable.
* Getting information about users / SIDs
This is the basic nsswitch getpwnam/getpwuid functionality returning a
pwent structure. It is also possible to query for AD / NT domain
information about the user/sid.
* User listing / enumeration
nsswitch provides a set of functions (setpwent/getpwent/endpwent) to
iterate over a password database. The classic database is
the /etc/passwd file, but of course using nsswitch, it's possible to use
a directory like LDAP or AD.
* Mapping SIDs to user ids and back
This one is only stubbed out, as Samba4 doesn't handle that mapping yet.
However, functions for this were needed to make winbind work, so I had
to stub these out. The advantage is that the other code will
automagically start to work correctly once these functions are
implemented for real.
* Mapping SIDs to group ids and back
Much the same applies here, once idmapping is supported in Samba4, this
will be replaced by real code.
What is left to do
------------------
* Group enumeration
The libnet functions for group enumeration were not implemented by the
time GSoC was up. Now these functions are in, so support for groups
identical to the user functions will follow soon.
* NTLM caching
Due to time constraints, caching of NTLM blobs was discarded. The
nsswitch/pam functionality was regarded as core importance.
* PAC/info3 caching
As with NTLM caching, PAC/info3 caching was discarded. Caching is only
interesting once the other features are working and will be implemented
eventually.
* Automated tests
Currently the only way to test all of the functionality is to wrap the
wbinfo binary and let that take care of constructing the necessary
winbind queries. This is a bit clumsy. Jerry Carter is currently working
on a winbind client library that will allow to access the functionality
of wbinfo without a wrapper. The tests will be implemented using that
API once it is in the tree.
Future (related) work
---------------------
First of all, the features still left on the TODO list will be implemented.
Group functions first, testing next if possible. There is more to winbind
than this GSoC project was about, so the more missing features will be
implemented. The caching will follow once the other features are working and
tested.
An improved winbind will help Samba4 to not only act as an AD controller but
also as a domain member.
A look back
-----------
Complying with long-standing computer science tradition, I underestimated the
amount of work that had to be done before I could start working on the actual
features I was planning to implement. In the end I had to prioritize features
and drop the least important ones to get finished in time. I did not expect
to spend so much time figuring out my way around the libnet code.
However, the foundation for implementing the dropped features is laid, so I do
not feel too bad about it. Samba4 winbind already works better than before.
Pending group support and id mapping, it will be usable for simple scenarios.
Conclusions
-----------
I still need to be more careful about the scheduling of projects and
estimating the amount of work required to get features to work. Still, the
only way to improve is to try and adjust the estimations accordingly. I feel
more confident around the Samba4 code now, thanks to Metze, Jelmer and
Andrew's help. Of course thanks to all the other team members for the help
and advice offered, on IRC and the mailing lists.
Last but not least I would like to thank Google in general and Leslie Hawthorn
in particular for running the third Summer of Code program in an efficient
manner, making this a really enjoyable experience.
--
Kai Blin
WorldForge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
--
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070919/86d9664d/attachment.bin
More information about the samba-technical
mailing list