Radically trim down winbind?
Stefan Kania
stefan at kania-online.de
Wed Nov 16 16:58:18 UTC 2016
Am 16.11.16 um 12:40 schrieb Michael Adam:
> On 2016-11-03 at 21:45 +0100, Volker Lendecke wrote:
>> Hi!
>>
>> While looking at problems with our winbindd_domain_list and trust
>> enumeration I just had an idea: Just discard everything that can't
>> reliably work. The two main things are:
>>
>> 1. Enumerating users and groups: I can see one scenario where this could
>> possibly work, and that is on a DC for the local domain. Everything
>> else is just prone to fail, because we don't have the privileges to
>> enumerate things or we can't reach DC's or a thousand other reasons
>> like timeouts in huge domains.
>>
>> 2. Querying group memberships without a pac/info3 struct. Again, the only
>> scenario might be on a dc for the local users. For everything else
>> we *must* rely on the DC to give us the group membership info after a
>> successful login. I can't count the number of times I have explained
>> to users (and Samba Team people, just this week.... :-) that all bets
>> are off regarding wbinfo -r without wbinfo -a or an smb login. The
>> problem here is -- it works sometimes with incomplete information and
>> it's very hard to figure out the exact circumstances when it works
>> and when it does not.
>>
>> So an idea would be to really delete the code that enumerates anything but
>> passdb users, and anything that tries to query group membership info without a
>> netsamlogon_cache.tdb entry. For passdb we can look at the local database.
>>
>> Thoughts? Too extreme?
>
> Sorry for chiming in so late...
>
> I think these are the right steps, you have my
> full support -- we have often talked about these
> problems before, so thanks for taking it up!
>
> If we'd do it in steps, my order of prio would be
> to first get rid of the enum stuff and then the
> group membership.
>
>
> And commenting on Stefan Kania's (and others') concerns:
>
> The fact that many users use the wrong commands
> for testing the domain connection despite us telling
> them not to do it over and over again, is not a reason
> to keep the commands, imho! I just means that all the
> education has not worked out in all those years and now
> poeple have to learn the hard way... And as Volker and
> others said: there will even be alternatives for getting
> lists if you really need them. The may not be the exact
> same call but they will be there (or already are).
Ok, if as Volker and you said, put a "useful" error-message if someone
try to get the list with "wbinfo -u/g" then I think it will work. I
think after this discussion I will start teaching NOT to uses wbinfo to
get the list of all users. But it's so easy and short and simple ;-))
Stefan
>
> Cheers - Michael
>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org
Mein Schlüssel liegt auf
hkp://subkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161116/c94c5f36/signature.sig>
More information about the samba-technical
mailing list