Radically trim down winbind?

Volker Lendecke vl at samba.org
Fri Nov 4 14:06:53 UTC 2016 

On Fri, Nov 04, 2016 at 01:35:15PM +0000, Matthew Newton wrote:
> Hi all,
> 
> On Fri, Nov 04, 2016 at 01:12:17PM +0100, Stefan Metzmacher wrote:
> > > While looking at problems with our winbindd_domain_list and trust
> > > enumeration I just had an idea: Just discard everything that can't
> > > reliably work. The two main things are:
> ...
> > > Thoughts? Too extreme?
> > 
> > I'm happy to remove as much as we can :-)
> > 
> > User administration just doesn't belong to winbindd.
> 
> Just so I can try and work out what you're planning :)
> 
> Earlier this year I wrote a new module for FreeRADIUS that permits
> checking group membership directly via winbindd. The "traditional"
> way of doing this is obviously via LDAP, but for a lot of setups
> where people aren't using LDAP already, but winbindd was already in
> use for authentication, it seemed nice to just use the existing
> setup.
> 
> The module calls wbcCtxGetGroups to get the group list for a

wbcCtxGetGroups is good assuming you have successfully used
wbcAuthenticateUser[Ex] before for that user. That's the point of
doing it correctly when we have a netsamlogon_cache.tdb entry.

> username, and then enumerates each of them with wbcCtxGetgrgid.
> This seems to work for the cases I've heard of where people are
> using it.

wbcCtxGetgrgid is okay as long as you don't expect winbind to expand
all group members including nexted groups. Just getting the /etc/group
entry without the members is fully supported and will be so in the
future.

> I guess my questions are -
> 
>  - was this the wrong thing to do, i.e. is it so unreliable that
>    it could give incorrect values
> 
>  - is this about to break?
> 
>  - if so, is there a recommended way to do this via winbindd that
>    will continue to work?

If you need the full group members expanded, this is not reliable.
Just imagine the domain users group in a large domain. Querying
individual items without implicit enumeration is always ok.

> Lots of people seem to get hung up on the correct LDAP
> configuration, so finding that groups were available via winbindd
> was a nice surprise and makes it easier for simpler setups. But
> obviously not if it doesn't reliably return the correct results.

The problem with AD groups is their complexity. Global groups, domain
local groups, universal groups and who knows what other types of
groups are very hard to get right.

Volker

More information about the samba-technical mailing list