[PATCH] change 'winbind rpc only' to default to true

Michael Adam obnox at samba.org
Thu Jun 16 22:45:24 UTC 2016

On 2016-06-16 at 15:10 -0700, Jeremy Allison wrote:
> On Fri, Jun 17, 2016 at 12:06:58AM +0200, Michael Adam wrote:
> > >         }
> > > 
> > > The above only selects reconnect_ads_methods if:
> > > 
> > > our_domain->active_directory AND domain->active_directory AND !lp_winbind_rpc_only
> > > 
> > > so setting the default to "yes" will force reconnect_methods.
> > > 
> > > Am I missing something here ?
> > 
> > The "!" before lp_winbind_rpc_only() ?
> Well I didn't miss it, just misunderstood your intention :-).

Oops but I misread 'reconnect_methods' for ad methods... my bad.

> > This is exactly the point:
> > When 'winbind rpc only' is set to "No" (the current default),
> > then  ADS methods are forced (when te domain is AD).
> > 
> > I want that to change, hence proposing to set the default to Yes.
> Why is changing the default to RPC methods better ?
> Can you explain what the problem is with the current
> default ?

Oh, you pointed out that may patch is too short-sighted.
And its intent is not achieved by this patch:

What I wanted to achieve is that I get rpc-methods by
default when I configure 'security = domain'.
Of course I did not want to force rpc-methods when
'security = ads'. My error in reasoning was that I
somehow falsely assumed that 'winbind rpc only' is only
effective when 'security = domain'.

So it seems that I have missunderstood the intent of
security = domain in all those years...
My understanding was this:

- have an AD domain ==> use security = ads
- have an NT domain ==> use security = domain

And if for some reasons security = ads does not work
(no time sync, no proper dns setup...) then you
can also use security = domain as a fallback
against an AD domain. I think this is also what
it behaved like initially.

But then, security = domain was changed to behave
just like security = ads against AD domains, and
because people kept running into problems with this,
the winbind rpc only parameter was introduce to force
it back to the rpc methods if really needed.

So if this (my new) understanding is correct,
then I am still confused: If 'security = domain'
has been made more clever to detect if the domain
is AD and change its behavior accordingly by
default, then instead of asking to change the default
of 'winbind use default domain', I am now asking:

Why do we have "security = ads" anymore at all?
One clever 'security = domain' with a switch
to force it back to rpc if needed would be enough.
The current situation is confusing and redundant.

So in order to systematize things, we could

- EITHER remove security = ads (maybe leaving it as a synonym
  for security = domain), and leaving 'winbind rpc only'
  at its current default of 'no'.
  ==> This might be the cleanest solution.
- OR change the default of winbind rpc only to
  'yes' for security = domain but leave it at
  'no' for security = ads.
   ==> This would impement what I originally
       intended with the proposed patch).

I hope I made myself more clear now.

Does any of the two options above make any sense to you?

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160617/c8711433/signature.sig>

More information about the samba-technical mailing list