Radically trim down winbind?

Fri Nov 4 13:39:21 UTC 2016

On Fri, Nov 04, 2016 at 01:51:13PM +0100, Stefan Kania wrote:
> > What we could do is move the complex logic to list users into the
> > wbinfo binary if this is such a critical feature to have under the
> > wbinfo command. Alternatively we can provide a descriptive message
> > to use wbinfo --ping-dc when someone types in wbinfo -u. Or turn 
> > wbinfo -u/-g into wbinfo --ping-dc if people are so used to typing
> > wbinfo -u to test DC connectivity.
> That would be a good solution. This will give a hint how to get the
> users and groups listed instead . Just remove an option and not giving
> an alternative command is never a good idea.
> winbind --ping-dc will not give you a list of all users.

Ok, asking again: Why do you need the list of all users? What are you
really using it for?

> > I am happy to provide a net ads search shortcut to list users and 
> > groups, assuming it does not exist yet. I just believe this 
> > functionality does not belong into winbind.
> > 
> That's not a good solution, because the output is different and a
> "wbinfo -g" is much shorter as "net ads search
> '(objectCategory=group)' sAMAccountName" and easier to remember ;-)
> I understand your point of view. It's the view from the side of a
> developer but admins will never user "net ads search" as long as there
> is an easier way ;-)
> And the result of both commands is not the same.

As I said -- I am willing to give you a shortcut with the same output.

> I think, if asking winbind is not such a god idea, you have to change
> it, but remember, not everyone using Samba is a developer ;-). There

I am also someone supporting customers. And it is extremely tiring to
explain to customers again and again that it is not a good idea to use
wbinfo -u, to rely on "id <username>" as root and so on. I have really
hard to diangose problems thanks to the fact that winbind even does
provide wbinfo -u.

I have a customer who uses NFS ganesha server side authorization,
relying on "id <username>" to work. From time to time it works, but it
is unreliable for them. They are very unhappy to hear that Samba just
can not solve their problem, because AD does not provide the required
information. Now changing this large deployment to something else
(they have not decided what to use yet) is painful.  If "id
<username>" had not provided anything at all without a successful smb
login, they would have seen this much earlier.

I have a customer with a piece of software that does wbinfo -u at
least once a day for auditing purposes. I was not aware that this was
happening until this software was installed in a domain with a few
thousand users (so large, but not huge). In their lab with the test
infrastructure it worked fine, but the customer is bitterly
complaining about outages once a day. It took a while to even find the
wbinfo -u process and where it came from. This wbinfo -u is so deeply
embedded into the auditing software that they now have to live with
the outages. Had wbinfo -u not existed in this form, they would have
gotten to a much better solution earlier: Ask for users on demand as
they access the system.

> must be a solution to list users and groups from the domain on a
> memberserver.

If you can point me at the Microsoft documentation how you can do it
from a Windows API perspective by just using the machine credentials,
I will be happy to provide something similar.

Yes, I know this is a change and I will probably offend quite some
users, but I really believe it is necessary.

Volker