What was the resolution about why we are talking to DCs when a client authenticates with Kerberos

Uri Simchoni urisimchoni at gmail.com
Wed Aug 5 03:37:00 UTC 2015

There's an open bug -

Jeremy worked on that for a while. The latest patch eliminates the
LDAP query and some RPCs, but some remain.

One basic thing that remained an open issue for me is the additional
SIDs in the PAC (beside the RID list) - some of the RPC calls are made
to determine whether those are group or user SIDs, presumably because
only groups should enter the unix token, and hence it seems the RPCs
cannot be eliminated entirely in all cases. However it seems that even
today when we do a getgrouplist using winbindd as backend, we get a
"group" id derived from the user SID, not sure whether this is by
design - maybe it has something to do with the ID_TYPE_BOTH but I
haven't studied this part of the code.

Another thing that you raised a while back is that we may not need the
UNIX token at all - perhaps it would be better to calculate it lazily,
only if entering a share that requires it? (e.g. have a VFS interface
which indicates whether UNIX token is required on this share).


On Wed, Aug 5, 2015 at 1:58 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> Hi folks,
> I recall some discussion that we were contacting DCs even when a
> client authenticates with Kerberos 5.
> There was a suggestion that we should not be doing that.
> Was the investigation of why we are doing it completed? What was the resolution?
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list