[PATCH] change 'winbind rpc only' to default to true
Michael Adam
obnox at samba.org
Fri Jun 17 11:18:06 UTC 2016
On 2016-06-17 at 23:06 +1200, Andrew Bartlett wrote:
> On Fri, 2016-06-17 at 09:05 +0200, Volker Lendecke wrote:
> > On Thu, Jun 16, 2016 at 05:14:32PM -0700, Jeremy Allison wrote:
> > > The question is - do we leave things
> > > as they are - which is security = ads and security = domain
> > > both try LDAP calls, and will both fall-back
> > > to RPC if there is any problem, or do we
> > > make a change to force RPC (no LDAP)
> > > if the setting is "security = domain" ?
> >
> > IMHO the distinction does not really make sense at all. We should
> > autodetect as much as possible. In short: I believe that
> > winbind_ads.c needs to go.
>
> I'm not sure of the mechanics (eg if winbind_ads should be used - is it
> still the only way to get correct primary groups on user lists?), but I
> do so very much agree with the 'autodetect as much as possible' part.
Same here. One thing is the implementation.
The other thing (which I was starting with) is the
'user experience' i.e. what parameters do I have to set
in order to get which behaviour back, no matter how
the c-files implementing this behaviour are called.
> I would love for security=ads to just be a synonym for security=domain,
> and then for us to just work the rest out.
Exactly one of my proposals in a much earlier mail in this
thread, once I finally understood what appear to have been
the intention of the earlier security=domain changes. :-)
> That was the purpose of my attempt at 'server role',
> which we really only push for the AD DC.
Right. It is all pretty inconsistent and 'server role' is
certainly conceptually a good thing. But as Jeremy pointed
out, the challenge here is not breaking the whole user base.
So this first step (making ads and domain synonyms, and possibly
deprecating ads value over time, etc), sounds like a very feasible
and reasonable approach.
Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160617/7d859b2f/signature.sig>
More information about the samba-technical
mailing list