Subdomain support in the AD DC!
abartlet at samba.org
Wed Sep 11 22:37:05 CEST 2013
On Wed, 2013-09-11 at 22:27 +0200, Volker Lendecke wrote:
> On Thu, Sep 12, 2013 at 07:59:57AM +1200, Andrew Bartlett wrote:
> > We certainly could. I should have been clearer as to why I suggested
> > this particular task: Yes, NTLM authentication could be done with an
> > existing or modified interface, and the other calls in winbind.idl are
> > trivial.
> > I suggested this task because all the other parts are already in place:
> > We have a simple client to test with (ntlm_auth4), and the server code
> > already exists. That way, the task itself is fairly simple - just glue
> > already working components together.
> > That said, there are only 3 working calls in winbind.idl, and we could
> > certainly continue to expand the existing protocol. My only comment on
> > that is that it just puts off at least trying to use IRPC (which is
> > already based on metze's binding handle work), and a common unix domain
> > socket based messaging system, both of which would I think be useful
> > more broadly.
> > IRPC is used elsewhere in the source4 code. It is quite a flexible,
> > async, IDL-based messaging system, and it would be great if more parts
> > of our code could talk to each other.
> That might be true. But given our limited resources we need
> to take short cuts in places I believe. Right now I don't
> see a real functional need that would make irpc in
> source3/winbind strictly necessary. It might come in the
> near future, but right now I believe using the old crap
> protocol behind a relatively clean API is just less work.
> Don't get me wrong, I have seriously played with unix domain
> datagram sockets for messaging scalability already and
> sooner or later it will happen. The real need will come from
> a completely different corner: ctdb scalability and
> parallelism. But right now -- not yet for me.
OK. I had seen your efforts and interest in this in the past, which is
why I thought it might be reasonable to suggest.
> This is an isolated interface that is relatively easily
> replacable. I would like to attack the functional problems
Indeed, and SDC will be the ideal time to find and fix those, and leave
polishing for (say) the long flights and sleepness nights on the way
> I am the first to do a lot of small cleanups here and
> there when I come across bad code (see my brlock cleanup of
> this morning for example). But my personal level of pain
> with the winbind interface has not been reached yet :-)
That is entirely reasonable. Let me know how you go!
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
More information about the samba-technical