winbindd, samba DC, and trusts
gd at samba.org
Thu Jan 31 19:48:11 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
> On Tue, 2008-01-29 at 09:32 +0100, Volker Lendecke wrote:
>> On Tue, Jan 29, 2008 at 07:23:05PM +1100, Luke Howard wrote:
>>>> I could imagine a command line switch that maps anonymous
>>>> session setup to builtin\administrator *ONLY* in the case
>>> Wouldn't the local machine account be the appropriate identity?
>> Probably in this case. The other longer-term plan with this
>> command line switch is to use a forked smbd to access
>> samba-internal structures via local RPC. This at least
>> potentially can reduce linker dependencies in the net
>> command. For that case you don't want to authenticate but
>> rely on local permissions, very much like the net command
> I've been thinking about the idea to fork smbd from winbindd, and I
> think the conclusion is that this would not solve the problem.
> The problem is that if you shut down completely winbindd in smbd then I
> guess auth will fail for any trusted domain user.
> In any case it is a lot of work and I am not sure we will gain much.
> BUT, I came out with a much simpler idea that seem to be working in my
> initial tests.
> Our problem is that we do try to authenticate against smbd in the main
> winbindd daemon, this is a loop problem but also a waste because none
> (that I've checked so far) of the operations we need to perform against
> our own DC really are done in the main daemon.
> All user/group enumeration is normally turned of in the IS_DC case and
> in the Samba DC case what we really care about is pam/ntlm_auth
> authentication anyway, and this is performed in the winbind domain
> The attached patch therefore makes it so that the main winbind will have
> the domain set as internal and use passdb_methods, while we change that
> on fork so that the child sees it as a non-internal domain and uses
> cache_methods (IE RPC calls).
> I am still not 100% sure if there are online/offline implication I can't
> still see by this split behavior, it would be nice to have comments on
> that too though.
Wow, a patch that tiny fixes such a large problem! At least for me it
resolved the issue we were seeing. And I can't see what it could it break.
+1 from me.
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner at redhat.com
Samba Team gd at samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical