Radically trim down winbind?

Stefan Kania stefan at kania-online.de
Wed Nov 16 16:58:18 UTC 2016


Am 16.11.16 um 12:40 schrieb Michael Adam:
> On 2016-11-03 at 21:45 +0100, Volker Lendecke wrote:
>> Hi!
>>
>> While looking at problems with our winbindd_domain_list and trust
>> enumeration I just had an idea: Just discard everything that can't
>> reliably work. The two main things are:
>>
>> 1. Enumerating users and groups: I can see one scenario where this could
>>    possibly work, and that is on a DC for the local domain. Everything
>>    else is just prone to fail, because we don't have the privileges to
>>    enumerate things or we can't reach DC's or a thousand other reasons
>>    like timeouts in huge domains.
>>
>> 2. Querying group memberships without a pac/info3 struct. Again, the only
>>    scenario might be on a dc for the local users. For everything else
>>    we *must* rely on the DC to give us the group membership info after a
>>    successful login. I can't count the number of times I have explained
>>    to users (and Samba Team people, just this week.... :-) that all bets
>>    are off regarding wbinfo -r without wbinfo -a or an smb login. The
>>    problem here is -- it works sometimes with incomplete information and
>>    it's very hard to figure out the exact circumstances when it works
>>    and when it does not.
>>
>> So an idea would be to really delete the code that enumerates anything but
>> passdb users, and anything that tries to query group membership info without a
>> netsamlogon_cache.tdb entry. For passdb we can look at the local database.
>>
>> Thoughts? Too extreme?
> 
> Sorry for chiming in so late...
> 
> I think these are the right steps, you have my
> full support -- we have often talked about these
> problems before, so thanks for taking it up!
> 
> If we'd do it in steps, my order of prio would be
> to first get rid of the enum stuff and then the
> group membership.
> 
> 
> And commenting on Stefan Kania's (and others') concerns:
> 
> The fact that many users use the wrong commands
> for testing the domain connection despite us telling
> them not to do it over and over again, is not a reason
> to keep the commands, imho! I just means that all the
> education has not worked out in all those years and now
> poeple have to learn the hard way... And as Volker and
> others said: there will even be alternatives for getting
> lists if you really need them. The may not be the exact
> same call but they will be there (or already are).
Ok, if as Volker and you said, put a "useful" error-message if someone
try to get the list with "wbinfo -u/g" then I think it will work. I
think after this discussion I will start teaching NOT to uses wbinfo to
get the list of all users. But it's so easy and short and simple ;-))

Stefan
> 
> Cheers - Michael
> 


-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schl├╝ssel liegt auf

hkp://subkeys.pgp.net


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161116/c94c5f36/signature.sig>


More information about the samba-technical mailing list