[PATCH] change 'winbind rpc only' to default to true
Volker Lendecke
Volker.Lendecke at SerNet.DE
Fri Jun 17 11:13:36 UTC 2016
On Fri, Jun 17, 2016 at 11:06:12PM +1200, Andrew Bartlett wrote:
> On Fri, 2016-06-17 at 09:05 +0200, Volker Lendecke wrote:
> > On Thu, Jun 16, 2016 at 05:14:32PM -0700, Jeremy Allison wrote:
> > > The question is - do we leave things
> > > as they are - which is security = ads and security = domain
> > > both try LDAP calls, and will both fall-back
> > > to RPC if there is any problem, or do we
> > > make a change to force RPC (no LDAP)
> > > if the setting is "security = domain" ?
> >
> > IMHO the distinction does not really make sense at all. We should
> > autodetect as much as possible. In short: I believe that
> > winbind_ads.c
> > needs to go.
>
> I'm not sure of the mechanics (eg if winbind_ads should be used - is it
> still the only way to get correct primary groups on user lists?), but I
My attitude towards this is that we can not get this at all in a reliable
fashion in a trusted domain scenario. So why make so much fuss over
it? To the best of *MY* limited knowledge of AD, the only reliable way
to retrieve user data is to get a PAC or do a successful SamLogon call
with the user's pass-through credentials. Has this changed, or have I
always been wrong?
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
SerNet & BSI laden ein: 29. Juni 2016,
2. IT-Grundschutztag 2016, BPA Berlin.
Anmeldung: https://www.sernet.de/gstag
More information about the samba-technical
mailing list