Plans for pdb_ads and auth_netlogond?
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue Jun 19 23:48:21 MDT 2012
On Wed, Jun 20, 2012 at 08:43:04AM +1000, Andrew Bartlett wrote:
> On Tue, 2012-06-19 at 17:17 +0200, Volker Lendecke wrote:
> > On Tue, Jun 19, 2012 at 11:08:20PM +1000, Andrew Bartlett wrote:
> > > - auth_netlogond cannot handle kerberos (because it was written before those
> > > extensions), and cannot query the correct lsa database for matching privileges.
> >
> > Why could it not be extended to do this? We have had
> > Kerberos support in smbd for ages, as you very well know.
> > And querying an LSA database over RPC is no magic either.
>
> If you want to implement a IPC mechanism for authentication, then I'm
> happy to consult on the full difficulties. I wouldn't start with
> auth_netlogond however, either auth_wbc for pure NTLM or the
> mooted-but-never-implemented 'GENSEC pipe' would be better starting
> points.
There are developments right now to make winbind dissect the
PAC on behalf of smbd (or nfs ganesha). We could do work
based on that.
> > Regarding the missing transactions over LDAP: We have talked
> > about how to fix that problem a couple of years ago. Design
> > LDAP exops that do the whole set of operations that need to
> > be protected by transactions.
>
> Even if you were to implement LDAP transactions specifically for this
> module, the lack of offline support would seem to doom this to forever
> being a duplicate effort, so I'm really at a loss as to understand what
> we would gain by doing so.
People are well aware of that with ldapsam today. If the
directory is not around, smbpasswd won't work.
> I asked you if you had plans for further development, and you said you
> didn't. Do be clear, do you plan to further develop these modules?
As I said in my initial mail, I don't have time to do that
on my own in isolation. Both Michael and Simo have raised
concerns with the removal of those modules, so I would hope
for them to join in into this development. If we have more
than just me alone, I think we can do development there.
> > Sorry, but with that argument we need to remove the S4
> > fileserver immediately. It is duplicate and it is nothing
> > anybody wants to support.
>
> There is a critical difference, and that is that has real-world users
> and it is tested by an extensive test-suite.
Ok, so it will be you who will fix bugs in that component
when they are reported, or will you tell people to switch
once the hit problems?
With best regards,
Volker Lendecke
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list