[PATCH][WIP] Remove (internal) winbind from Samba for 4.3

Andrew Bartlett abartlet at samba.org
Sat Jun 13 14:40:51 MDT 2015

On Sat, 2015-06-13 at 11:16 -0500, Steve French wrote:
> On Fri, Jun 12, 2015 at 4:01 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> > What this patch does is remove the *internal* winbind from the source4
> > directory.  This was replaced by default with winbindd from source3 in
> > Samba 4.2

> I haven't looked at this in a long time, but I remember that in the
> past an argument for source4 winbind was that it could get group
> membership directly from Active Directory when Samba 4 was running as
> a Domain Controller on the same box.  For example if winbind was run
> on a Samba RODC, then Samba file server and winbind in effect already
> had a copy of the group memberships, which was replicated safely from
> the other AD DCs (rather than simply cached on a timer), and the
> source4 winbind (unlike the source3 winbind) would not have to query
> them which could improve performance and reduce load on the network
> and on the file server.
> Does the source4 Winbind have any caching advantages (vs. the source3)
> when run on a Samba 4.x AD DC? In large enterprises, retrieving group
> memberships can be one of the more performance sensitive parts of file
> server session establishment and access check evaluation.

No, on two points.  That information should already be in the PAC, and
so the first element of the task is Jeremy's work to ensure we make no
connections to the DC for a file server connection.  

While we still need to improve the handling of which connections need to
go to an R/W DC vs the local RODC, when we are an AD DC, in principal
all connections are made to the local SAMR or LSA server over ncaclrpc. 

I know I made contrary arguments in the past, that the AD DC is special,
but it isn't really that special :-). 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list