Radically trim down winbind?

Volker Lendecke vl at samba.org
Thu Nov 3 20:45:13 UTC 2016


While looking at problems with our winbindd_domain_list and trust
enumeration I just had an idea: Just discard everything that can't
reliably work. The two main things are:

1. Enumerating users and groups: I can see one scenario where this could
   possibly work, and that is on a DC for the local domain. Everything
   else is just prone to fail, because we don't have the privileges to
   enumerate things or we can't reach DC's or a thousand other reasons
   like timeouts in huge domains.

2. Querying group memberships without a pac/info3 struct. Again, the only
   scenario might be on a dc for the local users. For everything else
   we *must* rely on the DC to give us the group membership info after a
   successful login. I can't count the number of times I have explained
   to users (and Samba Team people, just this week.... :-) that all bets
   are off regarding wbinfo -r without wbinfo -a or an smb login. The
   problem here is -- it works sometimes with incomplete information and
   it's very hard to figure out the exact circumstances when it works
   and when it does not.

So an idea would be to really delete the code that enumerates anything but
passdb users, and anything that tries to query group membership info without a
netsamlogon_cache.tdb entry. For passdb we can look at the local database.

Thoughts? Too extreme?


More information about the samba-technical mailing list