Radically trim down winbind?

Stefan Kania stefan at kania-online.de
Fri Nov 4 12:51:13 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 04.11.2016 um 11:37 schrieb Volker Lendecke:
> On Fri, Nov 04, 2016 at 10:24:15AM +0100, Stefan Kania wrote:
>> How many installations with 100k users you have? How many 
>> installations with less then 500 users you have. You alway keep
>> in mind that samba is used in many different environments. So
>> "wbinfo - -u/-g" is used very often to see, if the connection to
>> the DC is working. The two parameters "winbind enum users/grougs"
>> can be removed it's not a very good to list users and groups even
>> with 500 users.
> 
> Yes, and that purpose is just a wrong use. Even for 50 users. We 
> have wbinfo -t, wbinfo --ping-dc and other tests like wbinfo -n 
> domain\\administrator.
You are right, but so many admins are using it ;-)
> What we could do is move the complex logic to list users into the
> wbinfo binary if this is such a critical feature to have under the
> wbinfo command. Alternatively we can provide a descriptive message
> to use wbinfo --ping-dc when someone types in wbinfo -u. Or turn 
> wbinfo -u/-g into wbinfo --ping-dc if people are so used to typing
> wbinfo -u to test DC connectivity.
That would be a good solution. This will give a hint how to get the
users and groups listed instead . Just remove an option and not giving
an alternative command is never a good idea.
winbind --ping-dc will not give you a list of all users.
> 
> I am happy to provide a net ads search shortcut to list users and 
> groups, assuming it does not exist yet. I just believe this 
> functionality does not belong into winbind.
> 
That's not a good solution, because the output is different and a
"wbinfo -g" is much shorter as "net ads search
'(objectCategory=group)' sAMAccountName" and easier to remember ;-)
I understand your point of view. It's the view from the side of a
developer but admins will never user "net ads search" as long as there
is an easier way ;-)
And the result of both commands is not the same.

I think, if asking winbind is not such a god idea, you have to change
it, but remember, not everyone using Samba is a developer ;-). There
must be a solution to list users and groups from the domain on a
memberserver.


> The deeper reason why I want this out is:
> 
> We need to get rid of the internal winbind domain list. We can not
> rely on being able to enumerate all trusts. On a member, we have
> one domain we can reliably connect to. On a DC, we have a fixed
> list of explicit outgoing trusts that we know about locally. That's
> it.
> 
> RFC2307 attributes in a trusted domain is the only valid reason to 
> connect to a trusted DC from a member, and that one has already
> been liberated from depending on enumerating trusts.
> 
> User/group enumeration and trying to get group memberships are the
> big ones that right now look at that list. We *could* of course try
> to mimick that on-demand without listing trusts, but this is a lot
> of effort for something that we can't ever make work reliably,
> just because Windows clients don't do it.
> 
>>> We already have replacements: samba-tool user list and
>>> samba-tool group list
>> On a DC but not on a member. Yes you can always do an ssh to the
>> DC but it will not show if all users are visible on the member.
>> In bigger installations the admins responsible for the fileserver
>> not even have the possibility to do an ssh to the DC because
>> someone else is responsible for the DCs. The same with the
>> ldb-tools, I don't want to install the ldb-tool on all
>> memberservers.
> 
> Look at the Windows GUI: You have a search window where you can 
> validate users. By default Windows will only list the first 2000 
> users, for a good reason. Even a Windows member does not have the 
> ability to list all users in the domain(s). Maybe we can find a
> good description on the Microsoft websites as to why they cut it
> and point our users at it.
> 
> Volker
> 


- -- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlgchEEACgkQ2JOGcNAHDTYa3gCfUY11dJ3xm6r+EvzuGwHq4wdu
iDUAn26xfNDy5mJSiaK1/69NaCUxXY45
=OGJK
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list