Plans for pdb_ads and auth_netlogond?

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Jun 19 23:48:21 MDT 2012 

On Wed, Jun 20, 2012 at 08:43:04AM +1000, Andrew Bartlett wrote:
> On Tue, 2012-06-19 at 17:17 +0200, Volker Lendecke wrote:
> > On Tue, Jun 19, 2012 at 11:08:20PM +1000, Andrew Bartlett wrote:
> > >   - auth_netlogond cannot handle kerberos (because it was written before those 
> > >     extensions), and cannot query the correct lsa database for matching privileges. 
> > 
> > Why could it not be extended to do this? We have had
> > Kerberos support in smbd for ages, as you very well know.
> > And querying an LSA database over RPC is no magic either.
> 
> If you want to implement a IPC mechanism for authentication, then I'm
> happy to consult on the full difficulties.  I wouldn't start with
> auth_netlogond however, either auth_wbc for pure NTLM or the
> mooted-but-never-implemented 'GENSEC pipe' would be better starting
> points. 

There are developments right now to make winbind dissect the
PAC on behalf of smbd (or nfs ganesha). We could do work
based on that.

> > Regarding the missing transactions over LDAP: We have talked
> > about how to fix that problem a couple of years ago. Design
> > LDAP exops that do the whole set of operations that need to
> > be protected by transactions.
> 
> Even if you were to implement LDAP transactions specifically for this
> module, the lack of offline support would seem to doom this to forever
> being a duplicate effort, so I'm really at a loss as to understand what
> we would gain by doing so. 

People are well aware of that with ldapsam today. If the
directory is not around, smbpasswd won't work.

> I asked you if you had plans for further development, and you said you
> didn't.  Do be clear, do you plan to further develop these modules?

As I said in my initial mail, I don't have time to do that
on my own in isolation. Both Michael and Simo have raised
concerns with the removal of those modules, so I would hope
for them to join in into this development. If we have more
than just me alone, I think we can do development there.

> > Sorry, but with that argument we need to remove the S4
> > fileserver immediately. It is duplicate and it is nothing
> > anybody wants to support.
> 
> There is a critical difference, and that is that has real-world users
> and it is tested by an extensive test-suite. 

Ok, so it will be you who will fix bugs in that component
when they are reported, or will you tell people to switch
once the hit problems?

With best regards,

Volker Lendecke

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba-technical mailing list