Winbind - functionality extension needed

Ondrej Valousek webserv at
Wed Jul 8 14:38:52 GMT 2009

Hi all,

I would like to ask if it would be possible to extend the functionality 
of the winbind and to cover other system databases (not 
only passwd and group).
The trick is, that as of Windows server 2003 R2 or 2008, AD schema 
already contains all necessary rfc2307 attributes needed to store unix 
system databases in AD - so the obvious question would be, if we can use 
winbind & nsswitch.conf and store all databases in Active Directory.

The immediate answer is, that nss_ldap (from PADL software) does this - 
but unfortunately not effectively. Why?
1. nss_ldap does no caching (no daemon running)
2. By default, you need to authenticate to AD in order to access it via 
LDAP. That leaves us 2 options:
a) Allows anonymous access to AD
b) configure something like "proxy" user to access AD

I do not like neither of those options - the most elegant solution would 
be to use machine Kerberos credentials to access AD - the same way 
winbind does.

So hence my question - would it be possible to extend the functionality 
of winbind or am I completely wrong /bad idea here?
Many thanks for any feedback.


More information about the samba-technical mailing list