Radically trim down winbind?

Volker Lendecke vl at samba.org
Fri Nov 4 07:20:37 UTC 2016 

On Fri, Nov 04, 2016 at 12:09:57AM +0200, Uri Simchoni wrote:
> > 1. Enumerating users and groups: I can see one scenario where this could
> >    possibly work, and that is on a DC for the local domain. Everything
> >    else is just prone to fail, because we don't have the privileges to
> >    enumerate things or we can't reach DC's or a thousand other reasons
> >    like timeouts in huge domains.
> > 
> 
> IMHO user/group enumeration is a toy feature, can't really work with
> Enterprise domains due to their size. Users of small domains might find
> it useful but we can refer them to a simple ldap query that does the same.

Thanks for the confirmation :-)

> There is one application to querying group memberships without logon
> that I know of, and that's "force user". You want all files in some

I don't want to cut "getent passwd domain\\username" for a specific
user, which is what "force use" does. This can be done with an lsa
name2sid and an idmapping call. We need to invent a primary group when
the netsamlogon cache entry is missing, but in some circumstances we
already use "domain users". We might want to add a parameter for that.

> Can you explain the "all bets are off" (i.e. when doesn't ldap
> tokenGroups work)? If it's difficult to specify the exact circumstances,
> can you provide an example of a setup you encountered (I'll need to
> understand it myself and then explain to others why a solution that
> seemed to work needs to be re-architected)?

The first one is trusts. We just don't have the rights to access a remote
DC for anything. And then I've seen an AD that would not allow a machine
to access any user's token due to ACLs. It was a while ago, but with
tightened security I would expect this to be a common scenario. Why
should any machine on the net have the possibility to query the group
memberships of a user? This is an avoidable information leak. Then there
would be service2self4u (or so, some Kerberos thing to achieve what
we would need). But we figured that this won't work in certain trust
scenarios too. So -- all extremely fragile.

The only reliable way is a successful login by a user.

Volker

More information about the samba-technical mailing list