[PATCH] Ask local netlogon pipe on an AD DC
Volker Lendecke
vl at samba.org
Wed Mar 1 20:55:25 UTC 2017
On Thu, Mar 02, 2017 at 06:57:13AM +1300, Andrew Bartlett wrote:
> On Wed, 2017-03-01 at 14:03 +0100, Volker Lendecke wrote:
> > Hi!
> >
> > Review appreciated!
> >
> > Thanks, Volker
>
> Thanks Volker. I really appreciate your interest in getting the auth
> code correct here.
>
> I need to think carefully about the implications of going back to the
> SamLogon pipe here. One challenge is that we will not be able to log
> as much of the audit information that I am working with Gary on, and
> the other is that we will start the same authentication stack from
> scratch again but in the netlogon server, where it won't have the 'sam
> only' flag you mentioned.
I have a set of patches that make the "sam only" flag obsolete. The
confusion of everything forced through a single API call is what prevented
us from solving the unknown domain properly for more than a decade.
My arguments are:
Lower footprint -- winbind does not need to load all of auth_samba4
for this task, when netlogond is available with a patch of less than
50 lines. Winbind already does connect to local samr and lsa,
connecting to netlogond is just the next step.
Separation of concerns -- we have to make the netlogond pipe secure
anyway, and I want this to get better separated for security reasons.
Weak at this moment, but we need to get better here.
Code re-use -- we need to get the winbind netlogond client code right
for the member case anyway. If there is *any* different behaviour,
it's better we find this also in the DC case.
> I do want to get to the bottom of the right behaviour here. It seems
> you, Gary and myself all started working on patches in the same area
> around the same time, which is sadly often the way in Samba. Please
> don't push until I've also worked out how this will all work best.
I will work in private until I have it right. Lets see who gets there
first. Sorry for posting premature and incomplete patches.
Volker
More information about the samba-technical
mailing list