[PATCH] Remove orphaned code
Alexander Bokovoy
ab at samba.org
Tue Mar 14 20:34:40 UTC 2017
On ti, 14 maalis 2017, Volker Lendecke via samba-technical wrote:
> Hi!
>
> Review appreciated!
Looks good. RB+ by me, please commit together with other patches to save
on autobuild rounds.
FreeIPA configuration for long not used 'IPA_ldapsam' passdb module
anyway, only 'ipasam'. 'ipasam' passdb module is the one you refer to as
in https://pagure.io/freeipa/blob/master/f/daemons/ipa-sam
In 2011 'ipasam' was created, so 'IPA_ldapsam' is not in use for at
least five years. Over these five years FreeIPA team managed to handle
whatever changes passdb interface went through, so it is not a big
burden for maintenance out of Samba tree.
Simo and I have a plan to change how FreeIPA clients running SSSD and
Samba at the same time should be handled and an approach would
definitely be different to what is currently in unused pdb_ipa.c. We
want to make sure Samba on such client would always talk to its DC (IPA
master) for NTLMSSP authentication and re-use existing Kerberos host
principal keys as its machine account creds. It wouldn't know clear text
password for the machine account but it shouldn't need that at all,
Kerberos key would be enough. IDMAP parts are already handled by an
idmap plugin provided by SSSD. It doesn't handle yet group mapping and
local security authority parts but this is planned too.
So in the end a Samba member in FreeIPA domain would not require a passdb
module that talks directly to LDAP.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list