Skip to content

GitLab

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Systemd user/group record lookup API via Varlink

Review changes
Download
Patches
Plain diff

Samuel Cabrero requested to merge samba-team/devel/samba:scabrero-wb-varlink into master Feb 08, 2023

Overview 12
Commits 31
Pipelines 10
Changes 83

This MR is a proof-of-concept implementation of the io.systemd.UserDatabase interface in winbind, providing user and group name resolution through nss_systemd (thus, deprecating nss_winbind in favor of nss_systemd).

I am aware that this MR may be controversial because systemd is only available in Linux and systemd itself was (is?) controversial, but the fact is that nowadays major distributions are using it so I think there is nothing bad in exploring its newer features.

From https://systemd.io/USER_GROUP_API/

Other projects are invited to implement these services too. For example it would make sense for LDAP/ActiveDirectory projects to implement these interfaces, which would provide them a way to do per-user resource management enforced by systemd and defined directly in LDAP directories.

To give more context, I have implemented this while creating a winbind container for ALP (https://news.opensuse.org/tag/adaptable-linux-platform). Other containerized workloads (e.g. gdm) are already making use of this systemd feature and nss_systemd is added to host's nsswitch.conf so instead of adding nss_winbind too I though about exploring this way and bind-mount /var/run/systemd/userdb/org.samba.winbind socket in the host to make AD users available outside the container.

The main reason of this MR is to hear other opinions so I will be glad to hear yours.

Continues from !2923 (closed).

TODO:

Fix a bug in libvarlink with camel case interface names (https://github.com/varlink/libvarlink/pull/58).
Fix a bug in libvarlink, data stuck in stream out buffer (https://github.com/varlink/libvarlink/pull/59).
Systemd JSON parser considers \ an unsafe character (https://github.com/systemd/systemd/pull/26386).
Bundle libvarlink in third_party? It is only packaged in Fedora, OpenSUSE in progress.
Tests

Checklist

Commits have Signed-off-by: with name/author being identical to the commit author
(optional) This MR is just one part towards a larger feature.
(optional, if backport required) Bugzilla bug filed and BUG: tag added
Test suite updated with functionality tests
Test suite updated with negative tests
Documentation updated
CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

There is a test suite reasonably covering new functionality or modifications
Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
This feature/change has adequate documentation added
No obvious mistakes in the code

Edited May 28, 2024 by Samuel Cabrero

Merge request reports

Assignee

Select assignees

Reviewers

Request review from

Time tracking