[Review Request] libwbclient-sssd

Andrew Bartlett abartlet at samba.org
Mon May 12 19:02:47 MDT 2014

On Fri, 2014-05-09 at 18:52 +0200, Sumit Bose wrote:
> Hi,
> I'm looking for review and comments on my patches in
> http://fedorapeople.org/cgit/sbose/public_git/samba.git/log/ .
> They add a replacement for libwbclient which talks to SSSD
> (https://fedorahosted.org/sssd/) instead of winbindd. One of the
> use-cases for this library is to run Samba on FreeIPA clients where the
> FreeIPA domain already has a trust relationship to an AD forest.
> Currently not all calls are implemented but it already works quite well.
> I would prefer to maintain this library in the Samba source tree
> instead e.g. in the SSSD tree. We already have a id-mapping plugin for
> cifs-utils in the SSSD tree but here the plugin interface is very small
> and I think chances are low that it will change any time soon.
> libwbclient on the other hand is more complex and contains quite some
> calls which are independent of the backend (e.g. memory management and
> conversion utilities). I tired to extract this common code in some of
> the patches so that it can be used by both libraries.
> Please let me know if you think that those patches can be included in
> the samba tree (and what I have to fix/change to make it happen) or if
> you think it would be better to maintain it externally?
> Btw, I will be available for discussion next week on SambaXP.

The main concern I have is if that this will again tie us to the
libwbclient ABI, at a time when we at least I am looking at better ways
to communicate to and from winbindd.

For example, libwbclient is not async, and in my area of concern, the
wbcAuthenticateUserEx call is quite unfortunate in the amount of data
that is lost (by converting to unix time) when both ends simply want the
'info3' structure. 

I was hoping as part of the winbindd merge to propose an improved async
interface for smbd authentication against winbindd, for example.  If we
bypass libwbclient then that might break you.

I know this is much more a philosophical than a technical objection, and
you would rightly ask 'why didn't you tell me before now', but this is
the first I've heard of this. 

Now, that might mean we should just include this in Samba, and so ensure
either winbindd and sssd can be contacted, over current or future
versions of the library.  I'm not sure, but I wanted to communicate my
concerns here.

I hope these thoughts are not too confusing,

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list