[PATCH][WIP] Remove (internal) winbind from Samba for 4.3

Andrew Bartlett abartlet at samba.org
Wed Jun 17 03:23:33 MDT 2015

On Sun, 2015-06-14 at 08:40 +1200, Andrew Bartlett wrote:
> On Sat, 2015-06-13 at 11:16 -0500, Steve French wrote:
> > On Fri, Jun 12, 2015 at 4:01 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> > > What this patch does is remove the *internal* winbind from the source4
> > > directory.  This was replaced by default with winbindd from source3 in
> > > Samba 4.2
> > I haven't looked at this in a long time, but I remember that in the
> > past an argument for source4 winbind was that it could get group
> > membership directly from Active Directory when Samba 4 was running as
> > a Domain Controller on the same box.  For example if winbind was run
> > on a Samba RODC, then Samba file server and winbind in effect already
> > had a copy of the group memberships, which was replicated safely from
> > the other AD DCs (rather than simply cached on a timer), and the
> > source4 winbind (unlike the source3 winbind) would not have to query
> > them which could improve performance and reduce load on the network
> > and on the file server.
> > 
> > Does the source4 Winbind have any caching advantages (vs. the source3)
> > when run on a Samba 4.x AD DC? In large enterprises, retrieving group
> > memberships can be one of the more performance sensitive parts of file
> > server session establishment and access check evaluation.
> No, on two points.  That information should already be in the PAC, and
> so the first element of the task is Jeremy's work to ensure we make no
> connections to the DC for a file server connection.  
> While we still need to improve the handling of which connections need to
> go to an R/W DC vs the local RODC, when we are an AD DC, in principal
> all connections are made to the local SAMR or LSA server over ncaclrpc. 
> I know I made contrary arguments in the past, that the AD DC is special,
> but it isn't really that special :-). 

One correction:

The only difference that does come to mind is that on the DC (be it an
AD DC or the classic DC) we could avoid winbindd using the
winbindd_cache.tdb, and ask the authoritative database always.  (The
internal winbind had no such cache). 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list