Avoiding further (LDAP) stack proliferation in Samba

Andrew Bartlett abartlet at samba.org
Tue Jun 9 09:15:52 UTC 2020

On Tue, 2020-06-09 at 08:45 +0200, Karolin Seeger via samba-technical
> Hi,
> Am 09.06.20 um 01:17 schrieb Christof Schmitt via samba-technical:
> > Hi Andrew,
> > 
> > as Metze wrote, there is still work to be done across tldap and
> > ldb, and
> > probably more questions will come up, which libraries to re-use,
> > how to
> > handle dependencies to those, etc.
> > 
> > For winbindd, the long-tem goal is to improve failover to different
> > domain controllers, in case of network problems or DC outages. The
> > current problem today is that winbindd uses libads, which
> > encapsulates
> > DC selection, LDAP queries and retries in a way that is completely
> > outside of the control of winbindd. So the idea is to move winbindd
> > to
> > tldap first, and then later on move winbindd to be fully async,
> > avoid
> > the child processes and keep the connection state in one place.
> > 
> > The goals to unify the LDAP stacks are worthwhile, but i do not see
> > those as necessary for the winbindd changes. I suspect that would
> > also
> > trigger a wider discussion, e.g. which ASN.1 library to use, how to
> > reprent common data structures, where to put these to handle
> > dependencies.
> I do fully agree on this! Why can't we go ahead with tldap now (which
> is
> used in other places also) to fix the bug and do the re-design later?

I'm sorry, I still hold to my disagreement. 

It is really important to understand that while this will fix bugs, I
don't see this as a bug fix.  This is a lift-and-shift.  These
operations are both delicate and risky.  They also often fix bugs and
introduce important new features.

But this change needs to be evaluated at that, fully aware of the
implications, not just passed in as a bug fix.

I've been involved in implementing and in particular reviewing a large
number of lift-and-shift operations in Samba.  Rarely are they as
simple as they appear, and this one has the added complexity in what
I've raised about the target.

Therefore this cannot be simple regarded as a 'bug fix'.  I'm very

Furthermore I've been told that this is actually the culmination of a
significant amount of work over a period of months or even a year.  I'm
incredibly sad that this work got to this late stage before public
discussions allowed these issues became apparent.  

That is awful for everyone, and for that I'm sorry.

Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba-technical mailing list