[GSoC 2007] Improving Samba 4 winbind, a look back.

Andrew Bartlett abartlet at samba.org
Wed Sep 19 11:41:48 GMT 2007

On Wed, 2007-09-19 at 12:31 +0200, Kai Blin wrote:
> Hi folks,
> Jerry and Tridge asked for a summary of the summer of code projects that were 
> done this year, here is mine.
> What the project is about
> -------------------------
> Samba4 contains a basic winbind implementation, but it is still lacking many 
> features. The goal of my project was to improve Samba4 winbind so that the 
> nsswitch and pam functionality provided by Samba3's winbindd would be present 
> in Samba4, too.
> Simply copying code over from Samba3 would not do, of course, as the 
> underlying architecture in Samba4 is different. Also, the goal was to improve 
> readability of the code, as opposed to the more organically "grown" look of 
> the Samba3 winbindd code.


> What is left to do
> ------------------
>     * PAC/info3 caching
>       As with NTLM caching, PAC/info3 caching was discarded. Caching is only
>       interesting once the other features are working and will be implemented
>       eventually.

I actually disagree here.  This is perhaps the only reliable way to get
the groups a user is a member of, and should instead be the primary
method by which this is obtained.  There is rumoured to be kerberos
calls to obtain a PAC for a user (without their password), and we should
try and support this. 

>     * Automated tests
>       Currently the only way to test all of the functionality is to wrap the
>       wbinfo binary and let that take care of constructing the necessary
>       winbind queries. This is a bit clumsy. Jerry Carter is currently working
>       on a winbind client library that will allow to access the functionality
>       of wbinfo without a wrapper. The tests will be implemented using that
>       API once it is in the tree.
> Future (related) work
> ---------------------
> First of all, the features still left on the TODO list will be implemented. 
> Group functions first, testing next if possible. There is more to winbind 
> than this GSoC project was about, so the more missing features will be 
> implemented. The caching will follow once the other features are working and 
> tested.
> An improved winbind will help Samba4 to not only act as an AD controller but 
> also as a domain member.

This is the key part.  If the cluster code in Samba4 is to be used, this
and the connections from the LSA server are critical.  Even just acting
as a DC quickly invokes ideas of trusted domains. 

> A look back
> -----------
> Complying with long-standing computer science tradition, I underestimated the 
> amount of work that had to be done before I could start working on the actual 
> features I was planning to implement. In the end I had to prioritize features 
> and drop the least important ones to get finished in time. I did not expect 
> to spend so much time figuring out my way around the libnet code.
> However, the foundation for implementing the dropped features is laid, so I do 
> not feel too bad about it. Samba4 winbind already works better than before. 
> Pending group support and id mapping, it will be usable for simple scenarios.

A tradition well respected :-).  

> Conclusions
> -----------
> I still need to be more careful about the scheduling of projects and 
> estimating the amount of work required to get features to work. Still, the 
> only way to improve is to try and adjust the estimations accordingly. I feel 
> more confident around the Samba4 code now, thanks to Metze, Jelmer and 
> Andrew's help. Of course thanks to all the other team members for the help 
> and advice offered, on IRC and the mailing lists.
> Last but not least I would like to thank Google in general and Leslie Hawthorn 
> in particular for running the third Summer of Code program in an efficient 
> manner, making this a really enjoyable experience.

Congratulations on completing the project!  I hope you find some time to
improve winbind further, as you have noted, it needs a lot of work!

I'm sorry it so often came down to infrastructure not being in place, or
not being useful/functional/tested in the shape from which it started. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070919/3c3d6049/attachment.bin

More information about the samba-technical mailing list