[PATCHES] authenticating users during short disconnects from AD

[Uri Simchoni]

On 01/08/2017 04:11 PM, Volker Lendecke wrote:
> On Wed, Dec 28, 2016 at 04:21:16PM +0100, Volker Lendecke wrote:
>> On Wed, Dec 28, 2016 at 02:54:38PM +0200, Uri Simchoni wrote:
>>> #2 - we optimistically try sid2xid with type unspecified, The question
>>> is what to do if that fails - resolve the SIDs only for that call or for
>>> all later calls? Making a mental note that this backend needs sid lookup
>>> before mapping is good for backends which require this by their nature,
>>> such as rfc2307 - avoid the double lookup. OTOH some backends only need
>>> the SID type for allocation of new SIDs, so avoiding the "mental note"
>>> might result in better offline operation with those backends.
>>
>> Hmm. Right. It's only for new IDs. Maybe it is in fact better to
>> always do the double-roundtrip. Need to think about that a bit more.
> 
> One more thing I just found: Even autorid needs the type for some new
> mappings, autorid has an alloc range for special sids. So I think we
> should not generalize per domain but really per sid. This means doing
> the optimistic attempt always first might really be the right thing to
> do.
> 
> Volker
> 
Yeah, AFAICT only rid and passdb absolutely don't allocate, although
IMHO the special sids (well-known) might be handled by passdb with a
small change of code (the is_responsible business - passdb can be
responsible for well-known SIDs too, provided group mapping is in place).

I'll get back to it once we're out of the autobuild woods and I can base
it on your getpw{ent,nam,uid,sid} work. I made a small stab at the issue
today but no progress (one private autobuild failed with not enough
debug info, one succeeded, multiple test runs of the specific wbinfo
test all succeeded).

Thanks,
Uri.