Plans for pdb_ads and auth_netlogond?

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Jun 19 23:48:21 MDT 2012

On Wed, Jun 20, 2012 at 08:43:04AM +1000, Andrew Bartlett wrote:
> On Tue, 2012-06-19 at 17:17 +0200, Volker Lendecke wrote:
> > On Tue, Jun 19, 2012 at 11:08:20PM +1000, Andrew Bartlett wrote:
> > >   - auth_netlogond cannot handle kerberos (because it was written before those 
> > >     extensions), and cannot query the correct lsa database for matching privileges. 
> > 
> > Why could it not be extended to do this? We have had
> > Kerberos support in smbd for ages, as you very well know.
> > And querying an LSA database over RPC is no magic either.
> If you want to implement a IPC mechanism for authentication, then I'm
> happy to consult on the full difficulties.  I wouldn't start with
> auth_netlogond however, either auth_wbc for pure NTLM or the
> mooted-but-never-implemented 'GENSEC pipe' would be better starting
> points. 

There are developments right now to make winbind dissect the
PAC on behalf of smbd (or nfs ganesha). We could do work
based on that.

> > Regarding the missing transactions over LDAP: We have talked
> > about how to fix that problem a couple of years ago. Design
> > LDAP exops that do the whole set of operations that need to
> > be protected by transactions.
> Even if you were to implement LDAP transactions specifically for this
> module, the lack of offline support would seem to doom this to forever
> being a duplicate effort, so I'm really at a loss as to understand what
> we would gain by doing so. 

People are well aware of that with ldapsam today. If the
directory is not around, smbpasswd won't work.

> I asked you if you had plans for further development, and you said you
> didn't.  Do be clear, do you plan to further develop these modules?

As I said in my initial mail, I don't have time to do that
on my own in isolation. Both Michael and Simo have raised
concerns with the removal of those modules, so I would hope
for them to join in into this development. If we have more
than just me alone, I think we can do development there.

> > Sorry, but with that argument we need to remove the S4
> > fileserver immediately. It is duplicate and it is nothing
> > anybody wants to support.
> There is a critical difference, and that is that has real-world users
> and it is tested by an extensive test-suite. 

Ok, so it will be you who will fix bugs in that component
when they are reported, or will you tell people to switch
once the hit problems?

With best regards,

Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

More information about the samba-technical mailing list