Plans for pdb_ads and auth_netlogond?

Andrew Bartlett abartlet at samba.org
Tue Jun 19 16:43:04 MDT 2012 

On Tue, 2012-06-19 at 17:17 +0200, Volker Lendecke wrote:
> On Tue, Jun 19, 2012 at 11:08:20PM +1000, Andrew Bartlett wrote:
> >   - auth_netlogond cannot handle kerberos (because it was written before those 
> >     extensions), and cannot query the correct lsa database for matching privileges. 
> 
> Why could it not be extended to do this? We have had
> Kerberos support in smbd for ages, as you very well know.
> And querying an LSA database over RPC is no magic either.

If you want to implement a IPC mechanism for authentication, then I'm
happy to consult on the full difficulties.  I wouldn't start with
auth_netlogond however, either auth_wbc for pure NTLM or the
mooted-but-never-implemented 'GENSEC pipe' would be better starting
points. 

> Regarding the missing transactions over LDAP: We have talked
> about how to fix that problem a couple of years ago. Design
> LDAP exops that do the whole set of operations that need to
> be protected by transactions.

Even if you were to implement LDAP transactions specifically for this
module, the lack of offline support would seem to doom this to forever
being a duplicate effort, so I'm really at a loss as to understand what
we would gain by doing so. 

I asked you if you had plans for further development, and you said you
didn't.  Do be clear, do you plan to further develop these modules?

> > - At best, they duplicate the supported, working and tested solution. 
> > 
> > - We should not release, even as a developer feature, code which is duplicate, 
> >   untested and which we do not wish to support. 
> 
> Sorry, but with that argument we need to remove the S4
> fileserver immediately. It is duplicate and it is nothing
> anybody wants to support.

There is a critical difference, and that is that has real-world users
and it is tested by an extensive test-suite. 

Even so, we are doing our best to ensure that new users (and therefore
the bulk of total deployments) do not use this code base, as agreed. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list