Radically trim down winbind?

Matthew Newton mcn4 at leicester.ac.uk
Fri Nov 4 13:35:15 UTC 2016

Hi all,

On Fri, Nov 04, 2016 at 01:12:17PM +0100, Stefan Metzmacher wrote:
> > While looking at problems with our winbindd_domain_list and trust
> > enumeration I just had an idea: Just discard everything that can't
> > reliably work. The two main things are:
> > Thoughts? Too extreme?
> I'm happy to remove as much as we can :-)
> User administration just doesn't belong to winbindd.

Just so I can try and work out what you're planning :)

Earlier this year I wrote a new module for FreeRADIUS that permits
checking group membership directly via winbindd. The "traditional"
way of doing this is obviously via LDAP, but for a lot of setups
where people aren't using LDAP already, but winbindd was already in
use for authentication, it seemed nice to just use the existing

The module calls wbcCtxGetGroups to get the group list for a
username, and then enumerates each of them with wbcCtxGetgrgid.
This seems to work for the cases I've heard of where people are
using it.

I guess my questions are -

 - was this the wrong thing to do, i.e. is it so unreliable that
   it could give incorrect values

 - is this about to break?

 - if so, is there a recommended way to do this via winbindd that
   will continue to work?

Lots of people seem to get hung up on the correct LDAP
configuration, so finding that groups were available via winbindd
was a nice surprise and makes it easier for simpler setups. But
obviously not if it doesn't reliably return the correct results.



Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the samba-technical mailing list