Radically trim down winbind?

Andreas Schneider asn at samba.org
Fri Nov 4 07:47:57 UTC 2016

On Thursday, 3 November 2016 21:45:13 CET Volker Lendecke wrote:
> Hi!
> While looking at problems with our winbindd_domain_list and trust
> enumeration I just had an idea: Just discard everything that can't
> reliably work. The two main things are:
> 1. Enumerating users and groups: I can see one scenario where this could
>    possibly work, and that is on a DC for the local domain. Everything
>    else is just prone to fail, because we don't have the privileges to
>    enumerate things or we can't reach DC's or a thousand other reasons
>    like timeouts in huge domains.

Do you mean 'getent passwd' enumeration or do you mean 'wbinfo -u'. At least I 
find 'wbinfo -u' useful, which I changed the default some time ago. It only 
enumerates our own domain by default.

> 2. Querying group memberships without a pac/info3 struct. Again, the only
>    scenario might be on a dc for the local users. For everything else
>    we *must* rely on the DC to give us the group membership info after a
>    successful login. I can't count the number of times I have explained
>    to users (and Samba Team people, just this week.... :-) that all bets
>    are off regarding wbinfo -r without wbinfo -a or an smb login. The
>    problem here is -- it works sometimes with incomplete information and
>    it's very hard to figure out the exact circumstances when it works
>    and when it does not.

Yes, that's what I'm voting for since a long time. I think that the 'id' 
command without a samlogon cache should only return the uid and the primary 
gid and nothing else. It is really confusing because our users think these 
information are correct which are returned right now!

A	ndreas

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org

More information about the samba-technical mailing list