Subdomain support in the AD DC!

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Sep 11 22:27:50 CEST 2013

On Thu, Sep 12, 2013 at 07:59:57AM +1200, Andrew Bartlett wrote:
> We certainly could.  I should have been clearer as to why I suggested
> this particular task:  Yes, NTLM authentication could be done with an
> existing or modified interface, and the other calls in winbind.idl are
> trivial.  
> I suggested this task because all the other parts are already in place:
> We have a simple client to test with (ntlm_auth4), and the server code
> already exists.  That way, the task itself is fairly simple - just glue
> already working components together. 
> That said, there are only 3 working calls in winbind.idl, and we could
> certainly continue to expand the existing protocol.  My only comment on
> that is that it just puts off at least trying to use IRPC (which is
> already based on metze's binding handle work), and a common unix domain
> socket based messaging system, both of which would I think be useful
> more broadly.  
> IRPC is used elsewhere in the source4 code.  It is quite a flexible,
> async, IDL-based messaging system, and it would be great if more parts
> of our code could talk to each other. 

That might be true. But given our limited resources we need
to take short cuts in places I believe. Right now I don't
see a real functional need that would make irpc in
source3/winbind strictly necessary. It might come in the
near future, but right now I believe using the old crap
protocol behind a relatively clean API is just less work.

Don't get me wrong, I have seriously played with unix domain
datagram sockets for messaging scalability already and
sooner or later it will happen. The real need will come from
a completely different corner: ctdb scalability and
parallelism. But right now -- not yet for me.

This is an isolated interface that is relatively easily
replacable. I would like to attack the functional problems
first. I am the first to do a lot of small cleanups here and
there when I come across bad code (see my brlock cleanup of
this morning for example). But my personal level of pain
with the winbind interface has not been reached yet :-)


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen, mailto:kontakt at

visit us on it-sa:IT security exhibitions in Nürnberg, Germany
October 8th - 10th 2013, hall 12, booth 333
free tickets available via code 270691 on:

More information about the samba-technical mailing list