[PR PATCH] idmap_rid: default group always set to "Domain Users"

Stefan Metzmacher metze at samba.org
Fri Apr 20 05:09:45 UTC 2018


Am 19.04.2018 um 19:24 schrieb Samuel Cabrero via samba-technical:
> On Fri, 2018-04-13 at 16:59 +0200, Volker Lendecke via samba-technical
> wrote:
>> On Thu, Apr 12, 2018 at 09:47:55PM +0300, Uri Simchoni via samba-
>> technical wrote:
>>> The thing I'm less certain about is the "somehow". I'd guess an RPC
>>> to
>>> the DC would do it correctly irrespective of the winbindd backend,
>>> but I
>>> could be missing something here. In the original code we had a
>>> _wbint_QueryUser to deal with that on a per-backend basis, and it
>>> was
>>> removed in the series of commits that ended in
>>> 319d60285c92bbf86bc0a3f872f9c9f9d0530129. I'm not sure we really
>>> need
>>> this per-backend behavior though - all AD DC's support RPC, and the
>>> ad
>>> backend already does lots of RPC, it's far from pure ldap (and
>>> rightly so).
>>
>> wbint_QueryUser would have to use samr. This can at best (if at all)
>> with the domain we're member of. And even that is something we need
>> to
>> get rid of. Without a samlogon cache entry there is just no reliable
>> way to get that done. The only way out is (I believe) a s4u2self
>> client, something which is in the works somewhere.
>>
>> Volker
>>
> 
> Hi,
> 
> what do you think about this patch? It calls SAMR QueryUserInfo only if
> there is no samlogon cache entry and if the call succeed extracts the
> primary group SID, the account name and the full name. Then let the
> idmap backend override it (GetNssInfo call, only idmap_ad will do).

I think we should work towards removing all cm_connect_sam() calls
instead of readding them.

I think we should better don't return any information at all if we
don't have the correct information.

We need to use S4U2Self in order to get this fixed.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180420/9c8da91c/signature.sig>


More information about the samba-technical mailing list