winbindd, samba DC, and trusts

simo idra at samba.org
Tue Jan 29 19:20:58 GMT 2008


On Tue, 2008-01-29 at 09:32 +0100, Volker Lendecke wrote:
> On Tue, Jan 29, 2008 at 07:23:05PM +1100, Luke Howard wrote:
> > >I could imagine a command line switch that maps anonymous
> > >session setup to builtin\administrator *ONLY* in the case
> > >  
> > Wouldn't the local machine account be the appropriate identity?
> 
> Probably in this case. The other longer-term plan with this
> command line switch is to use a forked smbd to access
> samba-internal structures via local RPC. This at least
> potentially can reduce linker dependencies in the net
> command. For that case you don't want to authenticate but
> rely on local permissions, very much like the net command
> does.

I've been thinking about the idea to fork smbd from winbindd, and I
think the conclusion is that this would not solve the problem.

The problem is that if you shut down completely winbindd in smbd then I
guess auth will fail for any trusted domain user.
In any case it is a lot of work and I am not sure we will gain much.

BUT, I came out with a much simpler idea that seem to be working in my
initial tests.

Our problem is that we do try to authenticate against smbd in the main
winbindd daemon, this is a loop problem but also a waste because none
(that I've checked so far) of the operations we need to perform against
our own DC really are done in the main daemon.

All user/group enumeration is normally turned of in the IS_DC case and
in the Samba DC case what we really care about is pam/ntlm_auth
authentication anyway, and this is performed in the winbind domain
child.

The attached patch therefore makes it so that the main winbind will have
the domain set as internal and use passdb_methods, while we change that
on fork so that the child sees it as a non-internal domain and uses
cache_methods (IE RPC calls).

I am still not 100% sure if there are online/offline implication I can't
still see by this split behavior, it would be nice to have comments on
that too though.

Simo.



-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sambadc_winbindd_is_dc.patch
Type: text/x-patch
Size: 1474 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080129/98a500cd/sambadc_winbindd_is_dc.bin


More information about the samba-technical mailing list