selftest: re-enable nss_winbind via nss_wrapper in the test-envs.
Andrew Bartlett
abartlet at samba.org
Thu Feb 19 12:33:23 MST 2015
On Thu, 2015-02-19 at 16:44 +0100, Michael Adam wrote:
> On 2015-02-19 at 14:53 +0100, Stefan (metze) Metzmacher wrote:
> > Am 19.02.2015 um 12:55 schrieb Michael Adam:
> > > On 2015-02-19 at 12:46 +0100, Björn JACKE wrote:
> > >> On 2015-02-19 at 12:04 +0100 Michael Adam sent off:
> > >>> This is not a matter of unresolved uids.
> > >>
> > >> actually this is the only drawback you have in this setup. So this is the only
> > >> matter you might have ;)
> > >
> > > No. id mapping should still work, because winbindd is running
> > > and smbd is talking to it. What does not work is nss for the
> > > domain users, and smbd does rely on that.
> >
> > Where?
>
> Example:
>
> source3/auth/auth_samba4.c:
> auth_methods->auth = check_samba4_security
> check_samba4_security
> -> make_server_info_info3
> -> check_account
> -> smb_getpwnam
> -> Get_Pwnam_alloc
> -> Get_Pwnam_internals
> -> getpwnam_alloc_cached
> -> getpwnam
>
> I did not observe a problem (but I also never ran
> samba without nss_winbindd). But I see this potentially
> problematic code paths (and there ar more).
This is actually a path never taken in production, only possibly used by
pdbtest, and should probably be removed. At the top of
check_samba4_security():
/*
* This hook is currently used by winbindd only, as all other NTLM
* logins go via the hooks provided by make_auth4_context_s4() below.
*
(winbindd sets USER_INFO_INFO3_AND_NO_AUTHZ)
> > What do you mean by "domain users" exactly?
>
> User objects of (our) AD.
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list