Radically trim down winbind?
Volker Lendecke
vl at samba.org
Thu Nov 3 20:45:13 UTC 2016
Hi!
While looking at problems with our winbindd_domain_list and trust
enumeration I just had an idea: Just discard everything that can't
reliably work. The two main things are:
1. Enumerating users and groups: I can see one scenario where this could
possibly work, and that is on a DC for the local domain. Everything
else is just prone to fail, because we don't have the privileges to
enumerate things or we can't reach DC's or a thousand other reasons
like timeouts in huge domains.
2. Querying group memberships without a pac/info3 struct. Again, the only
scenario might be on a dc for the local users. For everything else
we *must* rely on the DC to give us the group membership info after a
successful login. I can't count the number of times I have explained
to users (and Samba Team people, just this week.... :-) that all bets
are off regarding wbinfo -r without wbinfo -a or an smb login. The
problem here is -- it works sometimes with incomplete information and
it's very hard to figure out the exact circumstances when it works
and when it does not.
So an idea would be to really delete the code that enumerates anything but
passdb users, and anything that tries to query group membership info without a
netsamlogon_cache.tdb entry. For passdb we can look at the local database.
Thoughts? Too extreme?
Volker
More information about the samba-technical
mailing list