[PATCH] Ask local netlogon pipe on an AD DC

[Volker Lendecke]

On Thu, Mar 02, 2017 at 06:57:13AM +1300, Andrew Bartlett wrote:
> On Wed, 2017-03-01 at 14:03 +0100, Volker Lendecke wrote:
> > Hi!
> > 
> > Review appreciated!
> > 
> > Thanks, Volker
> 
> Thanks Volker.  I really appreciate your interest in getting the auth
> code correct here. 
> 
> I need to think carefully about the implications of going back to the
> SamLogon pipe here.  One challenge is that we will not be able to log
> as much of the audit information that I am working with Gary on, and
> the other is that we will start the same authentication stack from
> scratch again but in the netlogon server, where it won't have the 'sam
> only' flag you mentioned. 

I have a set of patches that make the "sam only" flag obsolete. The
confusion of everything forced through a single API call is what prevented
us from solving the unknown domain properly for more than a decade.

My arguments are:

Lower footprint -- winbind does not need to load all of auth_samba4
for this task, when netlogond is available with a patch of less than
50 lines. Winbind already does connect to local samr and lsa,
connecting to netlogond is just the next step.

Separation of concerns -- we have to make the netlogond pipe secure
anyway, and I want this to get better separated for security reasons.
Weak at this moment, but we need to get better here.

Code re-use -- we need to get the winbind netlogond client code right
for the member case anyway. If there is *any* different behaviour,
it's better we find this also in the DC case.

> I do want to get to the bottom of the right behaviour here.  It seems
> you, Gary and myself all started working on patches in the same area
> around the same time, which is sadly often the way in Samba.  Please
> don't push until I've also worked out how this will all work best. 

I will work in private until I have it right. Lets see who gets there
first. Sorry for posting premature and incomplete patches.

Volker