Plans for pdb_ads and auth_netlogond?

Andrew Bartlett abartlet at
Tue Jun 19 16:43:04 MDT 2012

On Tue, 2012-06-19 at 17:17 +0200, Volker Lendecke wrote:
> On Tue, Jun 19, 2012 at 11:08:20PM +1000, Andrew Bartlett wrote:
> >   - auth_netlogond cannot handle kerberos (because it was written before those 
> >     extensions), and cannot query the correct lsa database for matching privileges. 
> Why could it not be extended to do this? We have had
> Kerberos support in smbd for ages, as you very well know.
> And querying an LSA database over RPC is no magic either.

If you want to implement a IPC mechanism for authentication, then I'm
happy to consult on the full difficulties.  I wouldn't start with
auth_netlogond however, either auth_wbc for pure NTLM or the
mooted-but-never-implemented 'GENSEC pipe' would be better starting

> Regarding the missing transactions over LDAP: We have talked
> about how to fix that problem a couple of years ago. Design
> LDAP exops that do the whole set of operations that need to
> be protected by transactions.

Even if you were to implement LDAP transactions specifically for this
module, the lack of offline support would seem to doom this to forever
being a duplicate effort, so I'm really at a loss as to understand what
we would gain by doing so. 

I asked you if you had plans for further development, and you said you
didn't.  Do be clear, do you plan to further develop these modules?

> > - At best, they duplicate the supported, working and tested solution. 
> > 
> > - We should not release, even as a developer feature, code which is duplicate, 
> >   untested and which we do not wish to support. 
> Sorry, but with that argument we need to remove the S4
> fileserver immediately. It is duplicate and it is nothing
> anybody wants to support.

There is a critical difference, and that is that has real-world users
and it is tested by an extensive test-suite. 

Even so, we are doing our best to ensure that new users (and therefore
the bulk of total deployments) do not use this code base, as agreed. 


Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list