winbindd vs. lsarpcd/netlogond
Elrond
elrond at samba.org
Thu Jul 13 12:55:33 GMT 2000
Hi Tim,
I'm thinking about this now and then, and now I'm just
going to write it up.
I'm just seeing, that winbindd is doubling a bunch of
functionality, that from my point of view should be in
lsarpcd or netlogond.
For example: You'vr just added a function to let the
workstation check its trustaccount password. AFAIK this is
a function, that lsarpcd or netlogond is supposed to be
able to do (look below for more info on this).
I think, winbindd should ask any things, that are more a
responsibility of samba-daemons, those daemons, instead of
trying to do the job itself.
I've seen from the cvs-messages, that HEAD is now going
even the opposite direction, in that the samba daemons
(HEAD has all that in one -- smbd -- I know) to ask
winbind.
I thought, the first main purpose of winbind was to provide
nsswitch-services. The next purpose, that was added and
that make sense to me, were pam-support. And one purpose,
that also makes some sense to me is the creation of
something like a SURS-daemon.
All these make quite some sense:
nsswitch and pam provide a way for Unix to live/interact in
an nt-environment and use their "resources".
A surs-daemon also makes some sense, because winbindd
already has to provide some mapping from sids to uid/gid
and vice-versa (also there are some little, but important
details in contrast to the surs, that samba-as-pdc needs,
but that's another story)
But I don't see, that "check the trust-password" is realy
anything that has to do with unix<->nt interaction, it is
just something, that only has to do with nt. The normal
unix-world doesn't need to care about it in any way. So I
think, this stuff should be left to the samba-daemons.
Don't take this offending, I just needed to write this up
somehow.
Okay: I said above, that trust-account-checking is realy
the job of netlogond/lsarpcd:
I know, that samba currently hasn't got this, so I even
don't know, which daemon is supposed to do it. But this
functionality exists.
There's a tool in the ntreskit called netdom.exe, it has
a function to let a remote ntbox check its trustpassword.
So it shouldn't be too hard to run this against some ntbox
and generate a trace. I can't do that easily currently, so
I don't have a trace for it. If someone wants to provide a
netmon-trace, that would be nice. :)
Elrond
More information about the samba-technical
mailing list