Radically trim down winbind?

Stefan Metzmacher metze at samba.org
Fri Nov 4 12:12:17 UTC 2016 

Hi Volker,

> While looking at problems with our winbindd_domain_list and trust
> enumeration I just had an idea: Just discard everything that can't
> reliably work. The two main things are:
> 
> 1. Enumerating users and groups: I can see one scenario where this could
>    possibly work, and that is on a DC for the local domain. Everything
>    else is just prone to fail, because we don't have the privileges to
>    enumerate things or we can't reach DC's or a thousand other reasons
>    like timeouts in huge domains.
> 
> 2. Querying group memberships without a pac/info3 struct. Again, the only
>    scenario might be on a dc for the local users. For everything else
>    we *must* rely on the DC to give us the group membership info after a
>    successful login. I can't count the number of times I have explained
>    to users (and Samba Team people, just this week.... :-) that all bets
>    are off regarding wbinfo -r without wbinfo -a or an smb login. The
>    problem here is -- it works sometimes with incomplete information and
>    it's very hard to figure out the exact circumstances when it works
>    and when it does not.
> 
> So an idea would be to really delete the code that enumerates anything but
> passdb users, and anything that tries to query group membership info without a
> netsamlogon_cache.tdb entry. For passdb we can look at the local database.
> 
> Thoughts? Too extreme?

I'm happy to remove as much as we can :-)

User administration just doesn't belong to winbindd.

I case we really need, we should have one dedicated winbindd child
per logged in user, where we do administrative tasks, but using
the users credentials and not the machine credentials.
The user would need to do an implicit or explicit wbinfo --pam-logon=
before. root may use the machine account, but everything should
still be in a dedicated child, completely isolated from the core
winbindd logic.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161104/7b0e5472/signature.sig>

More information about the samba-technical mailing list