Plans for pdb_ads and auth_netlogond?
Andrew Bartlett
abartlet at samba.org
Tue Jun 19 16:43:04 MDT 2012
On Tue, 2012-06-19 at 17:17 +0200, Volker Lendecke wrote:
> On Tue, Jun 19, 2012 at 11:08:20PM +1000, Andrew Bartlett wrote:
> > - auth_netlogond cannot handle kerberos (because it was written before those
> > extensions), and cannot query the correct lsa database for matching privileges.
>
> Why could it not be extended to do this? We have had
> Kerberos support in smbd for ages, as you very well know.
> And querying an LSA database over RPC is no magic either.
If you want to implement a IPC mechanism for authentication, then I'm
happy to consult on the full difficulties. I wouldn't start with
auth_netlogond however, either auth_wbc for pure NTLM or the
mooted-but-never-implemented 'GENSEC pipe' would be better starting
points.
> Regarding the missing transactions over LDAP: We have talked
> about how to fix that problem a couple of years ago. Design
> LDAP exops that do the whole set of operations that need to
> be protected by transactions.
Even if you were to implement LDAP transactions specifically for this
module, the lack of offline support would seem to doom this to forever
being a duplicate effort, so I'm really at a loss as to understand what
we would gain by doing so.
I asked you if you had plans for further development, and you said you
didn't. Do be clear, do you plan to further develop these modules?
> > - At best, they duplicate the supported, working and tested solution.
> >
> > - We should not release, even as a developer feature, code which is duplicate,
> > untested and which we do not wish to support.
>
> Sorry, but with that argument we need to remove the S4
> fileserver immediately. It is duplicate and it is nothing
> anybody wants to support.
There is a critical difference, and that is that has real-world users
and it is tested by an extensive test-suite.
Even so, we are doing our best to ensure that new users (and therefore
the bulk of total deployments) do not use this code base, as agreed.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list