[PATCH] change 'winbind rpc only' to default to true

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri Jun 17 07:05:23 UTC 2016

On Thu, Jun 16, 2016 at 05:14:32PM -0700, Jeremy Allison wrote:
> The question is - do we leave things
> as they are - which is security = ads and security = domain
> both try LDAP calls, and will both fall-back
> to RPC if there is any problem, or do we
> make a change to force RPC (no LDAP)
> if the setting is "security = domain" ?

IMHO the distinction does not really make sense at all. We should
autodetect as much as possible. In short: I believe that winbind_ads.c
needs to go.

If I remember correctly this whole mess came due to one of the later
arguments when Centeris was still around. They wanted to enforce
Kerberos and LDAP wherever possible, but at that time the whole
Kerberos infrastructure was a lot more flaky than it is now. They had
a good reason for this: You can't find unix attributes via RPC. Look
at idmap_ad_nss_init(), this has recently been split up a bit for

Now that today we have learned that retrieving the most important user
attributes (group membership) is only possible with a successful login
via RPC or PAC, this discussion has become a bit less important. And
idmap_ad has matured quite a bit too. So an explicit configuration to
use LDAP should only come via a nss config saying "winbind nss info =
sfu" or something like that.

Just my 2ct.


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

SerNet & BSI laden ein: 29. Juni 2016,
2. IT-Grundschutztag 2016, BPA Berlin.
Anmeldung: https://www.sernet.de/gstag

More information about the samba-technical mailing list