Radically trim down winbind?

Andrew Bartlett abartlet at samba.org
Fri Nov 4 19:16:05 UTC 2016 

On Thu, 2016-11-03 at 21:45 +0100, Volker Lendecke wrote:
> Hi!
> 
> While looking at problems with our winbindd_domain_list and trust
> enumeration I just had an idea: Just discard everything that can't
> reliably work. The two main things are:
> 
> 1. Enumerating users and groups: I can see one scenario where this
> could
>    possibly work, and that is on a DC for the local domain.
> Everything
>    else is just prone to fail, because we don't have the privileges
> to
>    enumerate things or we can't reach DC's or a thousand other
> reasons
>    like timeouts in huge domains.
> 
> 2. Querying group memberships without a pac/info3 struct. Again, the
> only
>    scenario might be on a dc for the local users. For everything else
>    we *must* rely on the DC to give us the group membership info
> after a
>    successful login. I can't count the number of times I have
> explained
>    to users (and Samba Team people, just this week.... :-) that all
> bets
>    are off regarding wbinfo -r without wbinfo -a or an smb login. The
>    problem here is -- it works sometimes with incomplete information
> and
>    it's very hard to figure out the exact circumstances when it works
>    and when it does not.
> 
> So an idea would be to really delete the code that enumerates
> anything but
> passdb users, and anything that tries to query group membership info
> without a
> netsamlogon_cache.tdb entry. For passdb we can look at the local
> database.
> 
> Thoughts? Too extreme?

What about keeping the group memberships part, but only for the local
domain, just keep punting the problem to the server by ONLY asking for
the tokenGroups attribute on the user as the only method?  Then drop
the other winbindd_ads fallbacks (I don't understand why we think we
need fallbacks here). 

Keeping this for the single domain case would I hope cause less
disruption.

One of the other tools we have in our playbook is the Samba RODC.  We
haven't really put it to great use yet (and it needs work).  You
mention elsewhere in the thread that the DC case is different (we have
the data), and perhaps we can smarten it up enough so that if you
really want to enumerate all users, you make yourself an RODC.

(I'm working with a customer using Samaba's RODC as a cache, and that
is helping me learn more about how you might do this in the real
world). 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list