Radically trim down winbind?
abartlet at samba.org
Sat Nov 5 02:30:47 UTC 2016
On Fri, 2016-11-04 at 21:24 +0100, Volker Lendecke wrote:
> On Sat, Nov 05, 2016 at 08:16:05AM +1300, Andrew Bartlett wrote:
> > What about keeping the group memberships part, but only for the
> > local
> > domain, just keep punting the problem to the server by ONLY asking
> > for
> > the tokenGroups attribute on the user as the only method? Then
> > drop
> > the other winbindd_ads fallbacks (I don't understand why we think
> > we
> > need fallbacks here).
> What's the meaning of the limitation in
> saying that it won't work without a GC? Can we detect that and do a
> proper fallback? Isn't that a level of uncertainty that we might want
> to avoid? And, can we be sure that we as a machine will always have
> the permission to read that attribute?
We should assure ourself of that. In terms of finding the GC, we could
decide only to bind to a GC by the name we use doing a lookup, and the
flags we check for in the netlogon ping.
> > Keeping this for the single domain case would I hope cause less
> > disruption.
> > One of the other tools we have in our playbook is the Samba RODC.
> > We
> > haven't really put it to great use yet (and it needs work). You
> > mention elsewhere in the thread that the DC case is different (we
> > have
> > the data), and perhaps we can smarten it up enough so that if you
> > really want to enumerate all users, you make yourself an RODC.
> The DC case being different was an initial reaction. However, looking
> at it again I'm not so sure anymore it is so vastly different.
> We will always have the possibility to look at named users with
> "getent passwd <username>" just as in the member case. Listing them I
> think we have the same problem: Size and associated load on winbind
> and the LDAP server. Will the Samba DC always give us the tokenGroups
> of the local domain users?
Yes. I'm happy to assert that will always be the case. We don't
intend to implement a non-GC Samba DC, even when we get subdomain
support - it just isn't worth the effort to have the distinction.
> We need to keep the group membership
> calculation in one place. And if the DC can give us a reliable path
> into the component that does it (preferably over a socket....), we
> might do it.
I'm all for keeping calculations and code in one place.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical