s4 winbind add some rpc does it worth it ?

Andrew Bartlett abartlet at samba.org
Tue Mar 2 14:08:09 MST 2010 

On Tue, 2010-03-02 at 21:57 +0300, Matthieu Patou wrote:
> Hello,
> 
> The title of my email says mostly all, as some of you have heard I'm 
> working on winbind in s4 because I need it (I'm getting bored of 
> 3000007  groups, ...).
> 
> So far the job was pretty easy, and I expect that the result worth the 
> time I invested even if with couple of month this code will be useless 
> because s4 should be able to use s3 winbind or will ship with s3 winbind.

I think we will have a lot of users of Samba4 before we get this level
of merge working.  I think it is worth spending time on Samba4's
winbind.

> Now I find that the groups returned are not complete because the rpc 
> call that is used well is specified not to return all the group (not to 
> name the case of groups of groups) it is samr_GetGroupsForUser
> even with the help of GetAliasMembership I still miss a kind of groups 
> (universal ones).

Indeed.  This has been a puzzle for a very long time. 

> A look at s3 way of doing things showed me the solutions: tokenGroups 
> (not implemented yet in s4) and a fallback to LDAP request on 
> member/memberof (so at least we can have all the groups).
> That means a new rpc (I think) in s4 winbind which is a bit of work (and 
> tests).
> 
> Maybe it worthless ? how soon do we plan to do the S3 winbind move ?
> Any comment on this will be greatly appreciated.

What would be really useful here is to implement S4U2Self, in our KDC
(needed anyway) and in winbind.  Once we get things worked out in
Samba4's winbind, modulo challenges in Kerberos APIs, I'm sure the
Samba3 folks will be able to port it in.  This call asks for a PAC for a
particular user, who you don't have the password for (so can't just do a
normal kinit for).  The tokengroups attribute is not always populated,
so this is the only right way to solve it. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100303/4f927571/attachment.pgp>

More information about the samba-technical mailing list