[PATCH] change 'winbind rpc only' to default to true
asn at samba.org
Fri Jun 17 11:29:25 UTC 2016
On Friday, 17 June 2016 13:13:36 CEST Volker Lendecke wrote:
> On Fri, Jun 17, 2016 at 11:06:12PM +1200, Andrew Bartlett wrote:
> > On Fri, 2016-06-17 at 09:05 +0200, Volker Lendecke wrote:
> > > On Thu, Jun 16, 2016 at 05:14:32PM -0700, Jeremy Allison wrote:
> > > > The question is - do we leave things
> > > > as they are - which is security = ads and security = domain
> > > > both try LDAP calls, and will both fall-back
> > > > to RPC if there is any problem, or do we
> > > > make a change to force RPC (no LDAP)
> > > > if the setting is "security = domain" ?
> > >
> > > IMHO the distinction does not really make sense at all. We should
> > > autodetect as much as possible. In short: I believe that
> > > winbind_ads.c
> > > needs to go.
> > I'm not sure of the mechanics (eg if winbind_ads should be used - is it
> > still the only way to get correct primary groups on user lists?), but I
> My attitude towards this is that we can not get this at all in a reliable
> fashion in a trusted domain scenario. So why make so much fuss over
> it? To the best of *MY* limited knowledge of AD, the only reliable way
> to retrieve user data is to get a PAC or do a successful SamLogon call
> with the user's pass-through credentials. Has this changed, or have I
> always been wrong?
This is true. I worked with Günther on a patch that if 'id' is called and we
can only get information about the user with the machine account, we only
display the primary gid and nothing else.
Currently we try wired calls on trusted domain and end up with invalid groups
shown for a user. If we have a valid netsamlogoncache, we display all groups.
We simply had too many bugs in the past and we should avoid trying to show
information which is invalid.
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
More information about the samba-technical