Radically trim down winbind?

Michael Adam obnox at samba.org
Wed Nov 16 11:40:45 UTC 2016 

On 2016-11-03 at 21:45 +0100, Volker Lendecke wrote:
> Hi!
> 
> While looking at problems with our winbindd_domain_list and trust
> enumeration I just had an idea: Just discard everything that can't
> reliably work. The two main things are:
> 
> 1. Enumerating users and groups: I can see one scenario where this could
>    possibly work, and that is on a DC for the local domain. Everything
>    else is just prone to fail, because we don't have the privileges to
>    enumerate things or we can't reach DC's or a thousand other reasons
>    like timeouts in huge domains.
> 
> 2. Querying group memberships without a pac/info3 struct. Again, the only
>    scenario might be on a dc for the local users. For everything else
>    we *must* rely on the DC to give us the group membership info after a
>    successful login. I can't count the number of times I have explained
>    to users (and Samba Team people, just this week.... :-) that all bets
>    are off regarding wbinfo -r without wbinfo -a or an smb login. The
>    problem here is -- it works sometimes with incomplete information and
>    it's very hard to figure out the exact circumstances when it works
>    and when it does not.
> 
> So an idea would be to really delete the code that enumerates anything but
> passdb users, and anything that tries to query group membership info without a
> netsamlogon_cache.tdb entry. For passdb we can look at the local database.
> 
> Thoughts? Too extreme?

Sorry for chiming in so late...

I think these are the right steps, you have my
full support -- we have often talked about these
problems before, so thanks for taking it up!

If we'd do it in steps, my order of prio would be
to first get rid of the enum stuff and then the
group membership.


And commenting on Stefan Kania's (and others') concerns:

The fact that many users use the wrong commands
for testing the domain connection despite us telling
them not to do it over and over again, is not a reason
to keep the commands, imho! I just means that all the
education has not worked out in all those years and now
poeple have to learn the hard way... And as Volker and
others said: there will even be alternatives for getting
lists if you really need them. The may not be the exact
same call but they will be there (or already are).

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161116/7f6ee1d4/signature.sig>

More information about the samba-technical mailing list