selftest: re-enable nss_winbind via nss_wrapper in the test-envs.

Michael Adam obnox at samba.org
Thu Feb 19 13:36:54 MST 2015 

On 2015-02-20 at 08:33 +1300, Andrew Bartlett wrote:
> On Thu, 2015-02-19 at 16:44 +0100, Michael Adam wrote:
> > On 2015-02-19 at 14:53 +0100, Stefan (metze) Metzmacher wrote:
> > > Am 19.02.2015 um 12:55 schrieb Michael Adam:
> > > > On 2015-02-19 at 12:46 +0100, Björn JACKE wrote:
> > > >> On 2015-02-19 at 12:04 +0100 Michael Adam sent off:
> > > >>> This is not a matter of unresolved uids.
> > > >>
> > > >> actually this is the only drawback you have in this setup. So this is the only
> > > >> matter you might have ;)
> > > > 
> > > > No. id mapping should still work, because winbindd is running
> > > > and smbd is talking to it. What does not work is nss for the
> > > > domain users, and smbd does rely on that.
> > > 
> > > Where?
> > 
> > Example:
> > 
> > source3/auth/auth_samba4.c:
> >   auth_methods->auth = check_samba4_security
> >     check_samba4_security
> >     -> make_server_info_info3
> >        -> check_account
> >           -> smb_getpwnam
> >              -> Get_Pwnam_alloc
> >                 -> Get_Pwnam_internals
> >                    -> getpwnam_alloc_cached
> >                       -> getpwnam
> > 
> > I did not observe a problem (but I also never ran
> > samba without nss_winbindd). But I see this potentially
> > problematic code paths (and there ar more).
> 
> This is actually a path never taken in production, only possibly used by
> pdbtest, and should probably be removed.  At the top of
> check_samba4_security():
> 
> /* 
>  * This hook is currently used by winbindd only, as all other NTLM
>  * logins go via the hooks provided by make_auth4_context_s4() below.
>  *
> 
> (winbindd sets USER_INFO_INFO3_AND_NO_AUTHZ)

Ok, then if it is not used, it is only confusing. So let's remove it...

And this only proves that probably for each one of the
dozen or couple of dozen calls to Get_Pwnam (outside
of passdb), it is rather subtle and you have to look
really carefully in order to justify why this path
is not taken in the DC setup. So for me the safe assumption
still is that one should always use nss_winbindd when using
smbd (with winbind).

If the experts on the matter say they have seen no
problems with that kind of use, fine, then it is probably
not as bad as I initially feared. But I am still
sceptical. If I find enough time, I may out of curiosity
audit all the getpwnam calls in source3 and check whether
they are called in the DC setup, but don't wait for it... :-)

I am not saying the I want it to be that way. If we
could get rid of getpwnam calls, that'd probably be
a great thing! But I don't see that we are currently
there.

Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150219/55b646bb/attachment.pgp>

More information about the samba-technical mailing list