domain GUIDs, passdb and dssetup

Andrew Bartlett abartlet at
Wed Nov 16 21:28:28 MST 2011


Following up on your desire to remove some of the links between secrets
and passdb, I wrote up the attached patch, and learnt a fair bit about
the dssetup pipe.

Samba3's dssetup pipe was added in commit;a=commitdiff;h=a1e72969d571d6b12f4cfa8c6dc16d7d982daa51 by Jerry.  I had assumed it was an AD-only thing added by the original AD efforts, but instead it was added due to bugs with a Samba member server:

Currently, we do not ever initialise the domain GUID, and so fetching
them from the secrets database initialises them, with a new random GUID!
The patch I've written up handles the DC case, passing the problem over
to passdb (where a GUID may or may not be supplied). 

I've not tested it, and I am not sure it is even the correct approach
(that is, perhaps we should initialise this during the join), but I
wanted to give you my findings as you were trying to restructure this

As the only remaining caller for the domain GUID (dssetup from source3)
is not used by a Samba4 DC, I am also quite happy if you remove the
domain GUID -> passdb hooks if they are a problem. 

(the same lessons apply to Samba4, which also does not currently record
the domain GUID or forest details when it is a member)

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-dssetup-Remove-support-for-reading-the-domain-GUI.patch
Type: text/x-patch
Size: 5442 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list