selftest: re-enable nss_winbind via nss_wrapper in the test-envs.

Michael Adam obnox at samba.org
Thu Feb 19 04:04:01 MST 2015


On 2015-02-19 at 11:53 +0100, Björn JACKE wrote:
> On 2015-02-18 at 11:21 +0100 Michael Adam sent off:
> > Hmmm. I don't see what this has to do with a general purpose
> > file server. My understanding was that a DC without nss_winbind
> > is incomplete. My understanding is also that smbd is not
> > functional without the ability to reach out into nss some time
> > because it tries to do getpwnam at times. Maybe this is just
> > not true with the way smbd is used in the DC environment, but
> > I was not aware. That is the basis of my statement that I
> > consider a DC setup without nss_winbind incomplete, or broken. :)
> 
> I definetely don't consider this as incomplete or broken. Actually I strongly
> prefer AD DC setups without nss_winbind. As we should have no more than the
> sysvol share on a DC the uglyness of non-resolved uids in the filesystem is not
> a big deal at all and we have reduced complexity.

This is not a matter of unresolved uids.
This a matter of smbd relying on getpwnam working
for domain users. And I am really really puzzled that
this setup should work at all.

> The most striking argument
> why I decided to avoid nss_winbind on AD DCs was the fact that by default
> Administrator gets the uidnumber 0 assinged.

Right. This I consider flawed.
There should be other means to achieve what was intended by this.
And not using winbind does not mainly remove complexity
but renders the smbd setup incomplete, imho.

> This screwes up root's account
> occasionally. See https://bugzilla.samba.org/show_bug.cgi?id=9837 . On a member
> server this nasty uidnumber 0 is being filtered out by the uid range of the
> domain. On a DC nss_winbind screws the system up if such bad uidnumbers are
> assinged in AD.

Right. We should not do that (assign uid 0 to a domain user). :)

Of course I have to admit most of my arguments are not from
production setups but from theory and my own test setups.
But I have never even dared to think about a setup without
nss-winbindd.

Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150219/3f0d2b48/attachment.pgp>


More information about the samba-technical mailing list