Can smbd serve files without contacting a DC

[Volker Lendecke]

On Tue, May 05, 2015 at 06:43:50AM -0700, Richard Sharpe wrote:
> > 2. there's another getpwnam in check_account() which is used to get the uid
> > and primary gid, and also for some username conversions (not sure I
> > understand all this). But the uid/gid can be obtained directly from the
> > sids, which would save the domain lookup in case of rid id-mapping.
> > Alternatively maybe it's possible to cache username->info3 in addition to
> > sid->info3 and have winbindd (which ultimately handles the getpwnam) use
> > that.

We have the netsamlogon_cache, which stores sid->info3. We
have code to also store name->sid in the winbindd_cache. If
that does not work, we need to investigate this.

> > 3. in order to convert group sids to unix gids, winbindd would first
> > contact the domain to determine the sid type. However, if the sids
> > originate in the PAC, don't we already know that they are group sids?

That is not necessarily true, see the sidHistory feature.
That's also the main reason why modern winbind creates both
a user and a group mapping for a fresh sid. ID_TYPE_BOTH is
what we call it.

> It does seem feasible to at least use the same principle as
> hash-mapping of SIDs to generate UIDs and GIDs to generate them during
> login rather than asking winbindd for that info.

For new installs that don't use RFC attributes in AD these
days I'd recommend the autorid idmap backend.

In theory, with krb5 and a PAC Samba should be able to serve SMB
connections without contacting the DC. If this does not
work, we need to analyze why this is not the case and make
it happen. Logs and/or a reproducer would be highly welcome.

With best regards,

Volker Lendecke

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de