What was the resolution about why we are talking to DCs when a client authenticates with Kerberos

Richard Sharpe realrichardsharpe at gmail.com
Wed Aug 5 13:59:39 UTC 2015

On Tue, Aug 4, 2015 at 8:37 PM, Uri Simchoni <urisimchoni at gmail.com> wrote:
> There's an open bug -
> https://bugzilla.samba.org/show_bug.cgi?id=11259
> Jeremy worked on that for a while. The latest patch eliminates the
> LDAP query and some RPCs, but some remain.
> One basic thing that remained an open issue for me is the additional
> SIDs in the PAC (beside the RID list) - some of the RPC calls are made
> to determine whether those are group or user SIDs, presumably because
> only groups should enter the unix token, and hence it seems the RPCs
> cannot be eliminated entirely in all cases. However it seems that even
> today when we do a getgrouplist using winbindd as backend, we get a
> "group" id derived from the user SID, not sure whether this is by
> design - maybe it has something to do with the ID_TYPE_BOTH but I
> haven't studied this part of the code.
> Another thing that you raised a while back is that we may not need the
> UNIX token at all - perhaps it would be better to calculate it lazily,
> only if entering a share that requires it? (e.g. have a VFS interface
> which indicates whether UNIX token is required on this share).

That is a good suggestion. As mentioned in another rant, this is the
third gig where I have completely eliminated the useless POSIX ACLs
crap and relied solely on acl_xattr.

We could add a field to the connect call that would indicate whether
or not this connection needs SID to UID/GID translation, but in a
product setting you would never support such mixed environments, so
why even do that.

I would much rather some way to switch it off in configure. Hmmm, let
me think about that.

> Uri
> On Wed, Aug 5, 2015 at 1:58 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>> Hi folks,
>> I recall some discussion that we were contacting DCs even when a
>> client authenticates with Kerberos 5.
>> There was a suggestion that we should not be doing that.
>> Was the investigation of why we are doing it completed? What was the resolution?
>> --
>> Regards,
>> Richard Sharpe
>> (何以解憂?唯有杜康。--曹操)

Richard Sharpe

More information about the samba-technical mailing list