[GSoC 2007] Improving Samba 4 winbind, a look back.

Kai Blin kai at samba.org
Wed Sep 19 10:31:10 GMT 2007

Hi folks,

Jerry and Tridge asked for a summary of the summer of code projects that were 
done this year, here is mine.

What the project is about

Samba4 contains a basic winbind implementation, but it is still lacking many 
features. The goal of my project was to improve Samba4 winbind so that the 
nsswitch and pam functionality provided by Samba3's winbindd would be present 
in Samba4, too.

Simply copying code over from Samba3 would not do, of course, as the 
underlying architecture in Samba4 is different. Also, the goal was to improve 
readability of the code, as opposed to the more organically "grown" look of 
the Samba3 winbindd code.

In Samba4, there is a library taking care of user/group management called 
libnet. Samba4 winbind uses this library extensively.

What was done so far

    * Porting nsstest to Samba4
      nsstest is a binary that test basic functionality of a nsswitch library.
      Once all the tests in nsstest work for libnss_winbind from Samba4, the
      winbind implementation is useable.

    * Getting information about users / SIDs
      This is the basic nsswitch getpwnam/getpwuid functionality returning a
      pwent structure. It is also possible to query for AD / NT domain
      information about the user/sid.

    * User listing / enumeration
      nsswitch provides a set of functions (setpwent/getpwent/endpwent) to
      iterate over a password database. The classic database is
      the /etc/passwd file, but of course using nsswitch, it's possible to use
      a directory like LDAP or AD.

    * Mapping SIDs to user ids and back
      This one is only stubbed out, as Samba4 doesn't handle that mapping yet.
      However, functions for this were needed to make winbind work, so I had
      to stub these out. The advantage is that the other code will 
      automagically start to work correctly once these functions are
      implemented for real.

    * Mapping SIDs to group ids and back
      Much the same applies here, once idmapping is supported in Samba4, this
      will be replaced by real code.

What is left to do

    * Group enumeration
      The libnet functions for group enumeration were not implemented by the
      time GSoC was up. Now these functions are in, so support for groups
      identical to the user functions will follow soon.

    * NTLM caching
      Due to time constraints, caching of NTLM blobs was discarded. The
      nsswitch/pam functionality was regarded as core importance.

    * PAC/info3 caching
      As with NTLM caching, PAC/info3 caching was discarded. Caching is only
      interesting once the other features are working and will be implemented

    * Automated tests
      Currently the only way to test all of the functionality is to wrap the
      wbinfo binary and let that take care of constructing the necessary
      winbind queries. This is a bit clumsy. Jerry Carter is currently working
      on a winbind client library that will allow to access the functionality
      of wbinfo without a wrapper. The tests will be implemented using that
      API once it is in the tree.

Future (related) work

First of all, the features still left on the TODO list will be implemented. 
Group functions first, testing next if possible. There is more to winbind 
than this GSoC project was about, so the more missing features will be 
implemented. The caching will follow once the other features are working and 

An improved winbind will help Samba4 to not only act as an AD controller but 
also as a domain member.

A look back

Complying with long-standing computer science tradition, I underestimated the 
amount of work that had to be done before I could start working on the actual 
features I was planning to implement. In the end I had to prioritize features 
and drop the least important ones to get finished in time. I did not expect 
to spend so much time figuring out my way around the libnet code.

However, the foundation for implementing the dropped features is laid, so I do 
not feel too bad about it. Samba4 winbind already works better than before. 
Pending group support and id mapping, it will be usable for simple scenarios.


I still need to be more careful about the scheduling of projects and 
estimating the amount of work required to get features to work. Still, the 
only way to improve is to try and adjust the estimations accordingly. I feel 
more confident around the Samba4 code now, thanks to Metze, Jelmer and 
Andrew's help. Of course thanks to all the other team members for the help 
and advice offered, on IRC and the mailing lists.
Last but not least I would like to thank Google in general and Leslie Hawthorn 
in particular for running the third Summer of Code program in an efficient 
manner, making this a really enjoyable experience.

Kai Blin
WorldForge developer  http://www.worldforge.org/
Wine developer        http://wiki.winehq.org/KaiBlin
Samba team member     http://www.samba.org/samba/team/
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070919/86d9664d/attachment.bin

More information about the samba-technical mailing list