[PATCH] Change winbindd to use the auth subsystem (use winbindd in AD DC)
Jeremy Allison
jra at samba.org
Mon Mar 31 12:24:06 MDT 2014
On Fri, Mar 28, 2014 at 03:47:33PM +1300, Andrew Bartlett wrote:
> On Thu, 2014-03-27 at 09:59 +0100, Volker Lendecke wrote:
> > On Thu, Mar 27, 2014 at 09:11:45PM +1300, Andrew Bartlett wrote:
> > > > Can you describe to me again what auth_samba4 provides that
> > > > can not be provided by winbind going over a local NETLOGON
> > > > pipe? This IMHO would be a much cleaner separation of code.
> > >
> > > This keeps the current behaviour, which is to handle this in-process.
> >
> > Yes, I know. But as you know I never agreed with this
> > design. I would like to discuss again to change it to use
> > the NETLOGON pipe. For trusted domains we have to do it
> > anyway.
>
> I would like that as well. Even without trusted domains, we need this
> because the RODC has to be able to forward authentication on to a full
> DC. Even on the full DC we really should re-try failed authentications
> with the PDC, in case the password changed.
>
> Perhaps you could help by making that work for the classic DC case, and
> then get back to me? It is there that I suspect we will have the more
> major issues, such as those that the extra flags added are for (avoiding
> looping auth and skipping PAM handling). The most difficult issue (due
> to upgrades) will be the need for a self-join trust account.
>
> Once all that is sorted out, having the AD DC mode follow suit doesn't
> seem particularly impractical.
>
> In the meantime, this patch resolves an existing issue that despite what
> the administrator sets in 'auth methods', that auth_sam is always used
> by winbindd. That it helps bootstrap the AD DC using winbindd effort is
> of course also very helpful.
>
> The use of winbindd in the AD DC isn't going to happen overnight, I'll
> post an updated patch series, and get into master what of that is
> reasonable. The rest we can continue to discuss until while we work on
> it.
Volker, can you explain again how you want this to work ?
Andrew and I are interested in making this work so we
can standardize on one winbindd and remove another
integration bottleneck.
Cheers,
Jeremy.
More information about the samba-technical
mailing list