Reasoning for auth_samba4.c

Andrew Bartlett abartlet at
Mon Dec 2 13:55:37 MST 2013

On Mon, 2013-12-02 at 10:12 +0100, Volker Lendecke wrote:
> On Fri, Nov 29, 2013 at 06:20:26PM +0100, Volker Lendecke wrote:
> > On Sat, Nov 30, 2013 at 06:04:56AM +1300, Andrew Bartlett wrote:
> > > On Fri, 2013-11-29 at 10:01 +0100, Volker Lendecke wrote:
> > > > Hi, Andrew!
> > > 
> > > > In the past I've put
> > > > quite significant effort to get rid of procid_self. I would
> > > > like to completely remove this and always go via
> > > > messaging_server_id. Via new_server_id_task we acquired a
> > > > new call to procid_self, which is a new stumbling block for
> > > > removal of that routine. So I would like to know about the
> > > > reasons why this is strictly necessary in the current setup.
> > > 
> > > It provides a deterministic client-side address for the imessaging
> > > library to use, rather than the previous approach of selecting a random
> > > number.
> > 
> > True. But this does not really answer my question: If we did
> > this via a NETLOGON call over a unix domain socket, wouldn't
> > that also work? For that we also have very elaborate
> > infrastructure available and don't need imessaging in this
> > place.
> > 
> > The question was -- what does the gensec call via imessaging
> > gain us in this particular place? Don't get me wrong, I
> > kindof got over my objections against gensec. It might have
> > its place, and we will use it more and more. It's the
> > particular use of it in auth_samba4 that I would like to
> > understand the reasoning for.
> Can I take your silence as consent that you would not object
> to replacing auth_samba4 with something that uses a NETLOGON
> connection?

Please understand that I try very hard not to work on Samba outside NZ
business hours.  

Particularly when addressing your questions, I like to take a great deal
of care to answer correctly, and in a way that deals with technical
issues with the respect they deserve.  I've spent some time to compose a
reply, but my priorities have been the testing and review of Metze's
NETLOGON schannel work, which is complex and critical to our operation
as a file server.  I also need to look over the important fixes that
Andreas has proposed for the force user code, as he has waited for well
over a week for my input there. 

Finally, I had wanted to give the opportunity for someone else, perhaps
metze who reviewed the work we did to swap in the source4 auth code when
running as an AD DC (only), to perhaps express a reply, without the
additional overtones and history that sadly exists between us

I hope to give you a more detailed understanding of the important
differences between auth_samba4 and what auth_netlogond in due time.  In
the meantime do understand than despite similar names, they are not
equivalent in functionality, and so I must object, as they cannot simply
replace each other. 

Thank you for your patience and understanding in this matter,

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list