[PR PATCH] idmap_rid: default group always set to "Domain Users"

Volker Lendecke Volker.Lendecke at SerNet.DE
Fri Apr 13 14:59:57 UTC 2018

On Thu, Apr 12, 2018 at 09:47:55PM +0300, Uri Simchoni via samba-technical wrote:
> The thing I'm less certain about is the "somehow". I'd guess an RPC to
> the DC would do it correctly irrespective of the winbindd backend, but I
> could be missing something here. In the original code we had a
> _wbint_QueryUser to deal with that on a per-backend basis, and it was
> removed in the series of commits that ended in
> 319d60285c92bbf86bc0a3f872f9c9f9d0530129. I'm not sure we really need
> this per-backend behavior though - all AD DC's support RPC, and the ad
> backend already does lots of RPC, it's far from pure ldap (and rightly so).

wbint_QueryUser would have to use samr. This can at best (if at all)
with the domain we're member of. And even that is something we need to
get rid of. Without a samlogon cache entry there is just no reliable
way to get that done. The only way out is (I believe) a s4u2self
client, something which is in the works somewhere.


SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba-technical mailing list