[PATCH] Change winbindd to use the auth subsystem (use winbindd in AD DC)

Jeremy Allison jra at samba.org
Mon Mar 31 12:24:06 MDT 2014

On Fri, Mar 28, 2014 at 03:47:33PM +1300, Andrew Bartlett wrote:
> On Thu, 2014-03-27 at 09:59 +0100, Volker Lendecke wrote:
> > On Thu, Mar 27, 2014 at 09:11:45PM +1300, Andrew Bartlett wrote:
> > > > Can you describe to me again what auth_samba4 provides that
> > > > can not be provided by winbind going over a local NETLOGON
> > > > pipe? This IMHO would be a much cleaner separation of code.
> > > 
> > > This keeps the current behaviour, which is to handle this in-process. 
> > 
> > Yes, I know. But as you know I never agreed with this
> > design. I would like to discuss again to change it to use
> > the NETLOGON pipe. For trusted domains we have to do it
> > anyway.
> I would like that as well.  Even without trusted domains, we need this
> because the RODC has to be able to forward authentication on to a full
> DC.  Even on the full DC we really should re-try failed authentications
> with the PDC, in case the password changed. 
> Perhaps you could help by making that work for the classic DC case, and
> then get back to me?  It is there that I suspect we will have the more
> major issues, such as those that the extra flags added are for (avoiding
> looping auth and skipping PAM handling).  The most difficult issue (due
> to upgrades) will be the need for a self-join trust account.  
> Once all that is sorted out, having the AD DC mode follow suit doesn't
> seem particularly impractical.
> In the meantime, this patch resolves an existing issue that despite what
> the administrator sets in 'auth methods', that auth_sam is always used
> by winbindd.  That it helps bootstrap the AD DC using winbindd effort is
> of course also very helpful. 
> The use of winbindd in the AD DC isn't going to happen overnight, I'll
> post an updated patch series, and get into master what of that is
> reasonable.  The rest we can continue to discuss until while we work on
> it. 

Volker, can you explain again how you want this to work ?

Andrew and I are interested in making this work so we
can standardize on one winbindd and remove another
integration bottleneck.



More information about the samba-technical mailing list