s3-winbindd and binding handles

Andrew Bartlett abartlet at samba.org
Wed May 7 23:11:14 MDT 2014


On Thu, 2014-05-08 at 11:37 +1200, Andrew Bartlett wrote:
> On Thu, 2014-05-08 at 08:55 +1200, Andrew Bartlett wrote:
> > On Wed, 2014-05-07 at 11:17 +0200, Stefan (metze) Metzmacher wrote:
> > > Hi Volker,
> > > 
> > > >> My current work in progress is here:
> > > >> http://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/ad-dc-winbindd-WIP
> > > >>
> > > >> My next goal is to have winbindd answer the SamLogon protocol the
> > > >> source4 auth system uses, and to extend that to include everything we
> > > >> need, particularly for the RODC.  
> > > > 
> > > > To me this looks as if the parent winbind loops inside a
> > > > nested event context processing the irpc request. This would
> > > > block all other async requests that might be handled
> > > > concurrently. Am I getting this right?
> > > 
> > > That depends on the content of winbindd/winbindd_update_rodc_dns.c,
> > > but that is missing in the commit...
> > > 
> > > In general the IRPC handler can be implemented asnyc,
> > > it has to set m->defer_reply = true;
> > > 
> > > See the wb_irpc_DsrUpdateReadOnlyServerDnsRecords() function in
> > > source4/winbind/wb_irpc.c.
> > 
> > Correct, and that is what it does because of course it is a copy from
> > there.  Then it passes it to the winbindd_dual child to actually
> > implement.  Currently this is manual, but I'm going to make it forward
> > using a more generic mechanism as I think that could be a very powerful
> > pattern. 
> 
> I've updated the branch with the code. 

I've pushed some more fixes to that branch, and my first untested and
almost certainly broken prototype of RPC forwarding between IRPC and
internal winbind RPC.  I'm sure there is much broken, but finding that
will be a task for tomorrow :-)

What I need now is a way to, without breaking the rest of winbindd, on
an RODC get a binding handle to a full DC, and a way on a DC to get a
binding handle on the PDC.  We need this when we forward a logon if the
password isn't in the local DB, or if the password is wrong. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140508/83c187a8/attachment.pgp>


More information about the samba-technical mailing list