domain GUIDs, passdb and dssetup

[Andrew Bartlett]

GD,

Following up on your desire to remove some of the links between secrets
and passdb, I wrote up the attached patch, and learnt a fair bit about
the dssetup pipe.

Samba3's dssetup pipe was added in commit
http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=a1e72969d571d6b12f4cfa8c6dc16d7d982daa51 by Jerry.  I had assumed it was an AD-only thing added by the original AD efforts, but instead it was added due to bugs with a Samba member server: https://bugzilla.samba.org/show_bug.cgi?id=4439

Currently, we do not ever initialise the domain GUID, and so fetching
them from the secrets database initialises them, with a new random GUID!
The patch I've written up handles the DC case, passing the problem over
to passdb (where a GUID may or may not be supplied). 

I've not tested it, and I am not sure it is even the correct approach
(that is, perhaps we should initialise this during the join), but I
wanted to give you my findings as you were trying to restructure this
area.  

As the only remaining caller for the domain GUID (dssetup from source3)
is not used by a Samba4 DC, I am also quite happy if you remove the
domain GUID -> passdb hooks if they are a problem. 

(the same lessons apply to Samba4, which also does not currently record
the domain GUID or forest details when it is a member)

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-dssetup-Remove-support-for-reading-the-domain-GUI.patch
Type: text/x-patch
Size: 5442 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20111117/28129851/attachment.bin>