[PATCH] change 'winbind rpc only' to default to true

[Andreas Schneider]

On Friday, 17 June 2016 13:13:36 CEST Volker Lendecke wrote:
> On Fri, Jun 17, 2016 at 11:06:12PM +1200, Andrew Bartlett wrote:
> > On Fri, 2016-06-17 at 09:05 +0200, Volker Lendecke wrote:
> > > On Thu, Jun 16, 2016 at 05:14:32PM -0700, Jeremy Allison wrote:
> > > > The question is - do we leave things
> > > > as they are - which is security = ads and security = domain
> > > > both try LDAP calls, and will both fall-back
> > > > to RPC if there is any problem, or do we
> > > > make a change to force RPC (no LDAP)
> > > > if the setting is "security = domain" ?
> > > 
> > > IMHO the distinction does not really make sense at all. We should
> > > autodetect as much as possible. In short: I believe that
> > > winbind_ads.c
> > > needs to go.
> > 
> > I'm not sure of the mechanics (eg if winbind_ads should be used - is it
> > still the only way to get correct primary groups on user lists?), but I
> 
> My attitude towards this is that we can not get this at all in a reliable
> fashion in a trusted domain scenario. So why make so much fuss over
> it? To the best of *MY* limited knowledge of AD, the only reliable way
> to retrieve user data is to get a PAC or do a successful SamLogon call
> with the user's pass-through credentials. Has this changed, or have I
> always been wrong?

This is true. I worked with Günther on a patch that if 'id' is called and we 
can only get information about the user with the machine account, we only 
display the primary gid and nothing else.

Currently we try wired calls on trusted domain and end up with invalid groups 
shown for a user. If we have a valid netsamlogoncache, we display all groups.

We simply had too many bugs in the past and we should avoid trying to show 
information which is invalid.


	-- andreas


-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org