Subdomain support in the AD DC!

Andrew Bartlett abartlet at
Wed Sep 11 22:37:05 CEST 2013

On Wed, 2013-09-11 at 22:27 +0200, Volker Lendecke wrote:
> On Thu, Sep 12, 2013 at 07:59:57AM +1200, Andrew Bartlett wrote:
> > We certainly could.  I should have been clearer as to why I suggested
> > this particular task:  Yes, NTLM authentication could be done with an
> > existing or modified interface, and the other calls in winbind.idl are
> > trivial.  
> > 
> > I suggested this task because all the other parts are already in place:
> > We have a simple client to test with (ntlm_auth4), and the server code
> > already exists.  That way, the task itself is fairly simple - just glue
> > already working components together. 
> > 
> > That said, there are only 3 working calls in winbind.idl, and we could
> > certainly continue to expand the existing protocol.  My only comment on
> > that is that it just puts off at least trying to use IRPC (which is
> > already based on metze's binding handle work), and a common unix domain
> > socket based messaging system, both of which would I think be useful
> > more broadly.  
> > 
> > IRPC is used elsewhere in the source4 code.  It is quite a flexible,
> > async, IDL-based messaging system, and it would be great if more parts
> > of our code could talk to each other. 
> That might be true. But given our limited resources we need
> to take short cuts in places I believe. Right now I don't
> see a real functional need that would make irpc in
> source3/winbind strictly necessary. It might come in the
> near future, but right now I believe using the old crap
> protocol behind a relatively clean API is just less work.


> Don't get me wrong, I have seriously played with unix domain
> datagram sockets for messaging scalability already and
> sooner or later it will happen. The real need will come from
> a completely different corner: ctdb scalability and
> parallelism. But right now -- not yet for me.

OK.  I had seen your efforts and interest in this in the past, which is
why I thought it might be reasonable to suggest. 

> This is an isolated interface that is relatively easily
> replacable. I would like to attack the functional problems
> first. 

Indeed, and SDC will be the ideal time to find and fix those, and leave
polishing for (say) the long flights and sleepness nights on the way
home :-)

> I am the first to do a lot of small cleanups here and
> there when I come across bad code (see my brlock cleanup of
> this morning for example). But my personal level of pain
> with the winbind interface has not been reached yet :-)

That is entirely reasonable.  Let me know how you go!

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Catalyst IT         

More information about the samba-technical mailing list