domain GUIDs, passdb and dssetup
abartlet at samba.org
Wed Nov 16 21:28:28 MST 2011
Following up on your desire to remove some of the links between secrets
and passdb, I wrote up the attached patch, and learnt a fair bit about
the dssetup pipe.
Samba3's dssetup pipe was added in commit
http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=a1e72969d571d6b12f4cfa8c6dc16d7d982daa51 by Jerry. I had assumed it was an AD-only thing added by the original AD efforts, but instead it was added due to bugs with a Samba member server: https://bugzilla.samba.org/show_bug.cgi?id=4439
Currently, we do not ever initialise the domain GUID, and so fetching
them from the secrets database initialises them, with a new random GUID!
The patch I've written up handles the DC case, passing the problem over
to passdb (where a GUID may or may not be supplied).
I've not tested it, and I am not sure it is even the correct approach
(that is, perhaps we should initialise this during the join), but I
wanted to give you my findings as you were trying to restructure this
As the only remaining caller for the domain GUID (dssetup from source3)
is not used by a Samba4 DC, I am also quite happy if you remove the
domain GUID -> passdb hooks if they are a problem.
(the same lessons apply to Samba4, which also does not currently record
the domain GUID or forest details when it is a member)
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5442 bytes
Desc: not available
More information about the samba-technical