Radically trim down winbind?

Jeremy Allison jra at samba.org
Fri Nov 4 18:18:25 UTC 2016 

On Fri, Nov 04, 2016 at 02:39:21PM +0100, Volker Lendecke wrote:
> 
> I am also someone supporting customers. And it is extremely tiring to
> explain to customers again and again that it is not a good idea to use
> wbinfo -u, to rely on "id <username>" as root and so on. I have really
> hard to diangose problems thanks to the fact that winbind even does
> provide wbinfo -u.
> 
> I have a customer who uses NFS ganesha server side authorization,
> relying on "id <username>" to work. From time to time it works, but it
> is unreliable for them. They are very unhappy to hear that Samba just
> can not solve their problem, because AD does not provide the required
> information. Now changing this large deployment to something else
> (they have not decided what to use yet) is painful.  If "id
> <username>" had not provided anything at all without a successful smb
> login, they would have seen this much earlier.
> 
> I have a customer with a piece of software that does wbinfo -u at
> least once a day for auditing purposes. I was not aware that this was
> happening until this software was installed in a domain with a few
> thousand users (so large, but not huge). In their lab with the test
> infrastructure it worked fine, but the customer is bitterly
> complaining about outages once a day. It took a while to even find the
> wbinfo -u process and where it came from. This wbinfo -u is so deeply
> embedded into the auditing software that they now have to live with
> the outages. Had wbinfo -u not existed in this form, they would have
> gotten to a much better solution earlier: Ask for users on demand as
> they access the system.

+1 this. Providing an incorrect list is worse than providing
no list at all.

We need to make clear the fact that only with a successful logon
can we provide a correct list of user groups.

Anything else is deciving people and has ended up causing us ongoing
support pain.

> > Stefan Kania wote:
> > must be a solution to list users and groups from the domain on a
> > memberserver.

Stefan, wishing for something doesn't make it so. What you want isn't
possible in the generic case you want it for.

> If you can point me at the Microsoft documentation how you can do it
> from a Windows API perspective by just using the machine credentials,
> I will be happy to provide something similar.
> 
> Yes, I know this is a change and I will probably offend quite some
> users, but I really believe it is necessary.

Yes, this is necessary. I'm happy to review patches for this.

Thanks a *LOT* for taking this bull by the horns Volker !

Jeremy.

More information about the samba-technical mailing list