Subdomain support in the AD DC!

Andrew Bartlett abartlet at
Wed Sep 11 21:59:57 CEST 2013

On Wed, 2013-09-11 at 14:21 +0200, Volker Lendecke wrote:
> On Wed, Sep 11, 2013 at 02:16:31PM +1200, Andrew Bartlett wrote:
> > On Tue, 2013-09-10 at 10:53 +0200, Volker Lendecke wrote:
> > > On Tue, Sep 10, 2013 at 10:27:53AM +1200, Andrew Bartlett wrote:
> > > > If you want to help out, a specific, defined and useful task you could take on is:
> > > > 
> > > > Provide an IRPC listener for the SamLogon call, glued in to the existing
> > > > SamLogon handlers.  You can use ntlm_auth4
> > > > --helper-protocol=squid-2.5-ntlmssp to test it (it speaks the IRPC
> > > > protocol when handling NTLMSSP).  You may or may not wish to merge the
> > > > messaging code first, but that shouldn't be needed to get it going. 
> > > > 
> > > > Getting this much working would make a massive difference to being able
> > > > to swap in the source3 winbind, and lay the ground-work for the other
> > > > calls we need. 
> > > 
> > > This is called from source4/auth/ntlm/auth_winbind.c?
> > 
> > Yes.
> Question: To me this looks pretty similar to what
> wbcAuthenticateUserEx does or can do. What is missing from
> that call that makes an irpc interface necessary?
> Correct me if I'm wrong, but isn't this one of the core
> nested event loops we have? If we wrote a nested-event-loop
> wbcAuthenticateUserEx flavor, couldn't that do it as well?

We certainly could.  I should have been clearer as to why I suggested
this particular task:  Yes, NTLM authentication could be done with an
existing or modified interface, and the other calls in winbind.idl are

I suggested this task because all the other parts are already in place:
We have a simple client to test with (ntlm_auth4), and the server code
already exists.  That way, the task itself is fairly simple - just glue
already working components together. 

That said, there are only 3 working calls in winbind.idl, and we could
certainly continue to expand the existing protocol.  My only comment on
that is that it just puts off at least trying to use IRPC (which is
already based on metze's binding handle work), and a common unix domain
socket based messaging system, both of which would I think be useful
more broadly.  

IRPC is used elsewhere in the source4 code.  It is quite a flexible,
async, IDL-based messaging system, and it would be great if more parts
of our code could talk to each other. 


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Catalyst IT         

More information about the samba-technical mailing list