winbindd, samba DC, and trusts

Guenther Deschner gd at samba.org
Thu Jan 31 19:48:11 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

simo wrote:
> On Tue, 2008-01-29 at 09:32 +0100, Volker Lendecke wrote:
>> On Tue, Jan 29, 2008 at 07:23:05PM +1100, Luke Howard wrote:
>>>> I could imagine a command line switch that maps anonymous
>>>> session setup to builtin\administrator *ONLY* in the case
>>>>  
>>> Wouldn't the local machine account be the appropriate identity?
>> Probably in this case. The other longer-term plan with this
>> command line switch is to use a forked smbd to access
>> samba-internal structures via local RPC. This at least
>> potentially can reduce linker dependencies in the net
>> command. For that case you don't want to authenticate but
>> rely on local permissions, very much like the net command
>> does.
> 
> I've been thinking about the idea to fork smbd from winbindd, and I
> think the conclusion is that this would not solve the problem.
> 
> The problem is that if you shut down completely winbindd in smbd then I
> guess auth will fail for any trusted domain user.
> In any case it is a lot of work and I am not sure we will gain much.
> 
> BUT, I came out with a much simpler idea that seem to be working in my
> initial tests.
> 
> Our problem is that we do try to authenticate against smbd in the main
> winbindd daemon, this is a loop problem but also a waste because none
> (that I've checked so far) of the operations we need to perform against
> our own DC really are done in the main daemon.
> 
> All user/group enumeration is normally turned of in the IS_DC case and
> in the Samba DC case what we really care about is pam/ntlm_auth
> authentication anyway, and this is performed in the winbind domain
> child.
> 
> The attached patch therefore makes it so that the main winbind will have
> the domain set as internal and use passdb_methods, while we change that
> on fork so that the child sees it as a non-internal domain and uses
> cache_methods (IE RPC calls).
> 
> I am still not 100% sure if there are online/offline implication I can't
> still see by this split behavior, it would be nice to have comments on
> that too though.

Wow, a patch that tiny fixes such a large problem! At least for me it
resolved the issue we were seeing. And I can't see what it could it break.

+1 from me.

Guenther
- --
Günther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner at redhat.com
Samba Team                              gd at samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHoiX7SOk3aI7hFogRAs4DAKCEzOTZ8dz3e9eWlvTEE3PnFyydEQCfX+vG
RD1/BZrDmjnO6ctjNzGr9u0=
=F3vK
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list