Can smbd serve files without contacting a DC
Uri Simchoni
urisimchoni at gmail.com
Tue May 5 12:13:38 MDT 2015
On Tue, May 5, 2015 at 5:27 PM, Volker Lendecke <Volker.Lendecke at sernet.de>
wrote:
> On Tue, May 05, 2015 at 06:43:50AM -0700, Richard Sharpe wrote:
> > > 2. there's another getpwnam in check_account() which is used to get
> the uid
> > > and primary gid, and also for some username conversions (not sure I
> > > understand all this). But the uid/gid can be obtained directly from the
> > > sids, which would save the domain lookup in case of rid id-mapping.
> > > Alternatively maybe it's possible to cache username->info3 in addition
> to
> > > sid->info3 and have winbindd (which ultimately handles the getpwnam)
> use
> > > that.
>
> We have the netsamlogon_cache, which stores sid->info3. We
> have code to also store name->sid in the winbindd_cache. If
> that does not work, we need to investigate this.
AFAICT the netsamlogon_cache is for sid->info3, and name->sid is cached
only upon explicit sid->name or name->sid request.
>
> > > 3. in order to convert group sids to unix gids, winbindd would first
> > > contact the domain to determine the sid type. However, if the sids
> > > originate in the PAC, don't we already know that they are group sids?
>
> That is not necessarily true, see the sidHistory feature.
> That's also the main reason why modern winbind creates both
> a user and a group mapping for a fresh sid. ID_TYPE_BOTH is
> what we call it.
That's the kind of input I was hoping for, in order to avoid doing
something stupid. I'll have a look into that - Thanks!
>
> > It does seem feasible to at least use the same principle as
> > hash-mapping of SIDs to generate UIDs and GIDs to generate them during
> > login rather than asking winbindd for that info.
>
> For new installs that don't use RFC attributes in AD these
> days I'd recommend the autorid idmap backend.
>
> In theory, with krb5 and a PAC Samba should be able to serve SMB
> connections without contacting the DC. If this does not
> work, we need to analyze why this is not the case and make
> it happen. Logs and/or a reproducer would be highly welcome.
>
>
I will work on reproducing that. Thanks!
> With best regards,
>
> Volker Lendecke
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de
>
More information about the samba-technical
mailing list