Group "Domain Users"

Tim Potter tpot at
Mon Nov 11 17:45:09 GMT 2002

On Mon, Nov 11, 2002 at 01:40:25PM +0100, Michael Steffens wrote:

> recently David Shapiro complained about getent group not working
> in large domain groups, in particular "Domain Users":

> Resolved the problem in my local version by modifying winbindd_group.c
> such that domain groups "Domain Users" will never get members filled
> in the result. This is somewhat anologous to the habit not to
> list primary group members in /etc/group in order not to exceed
> maximum group sizes on systems with many local users.

I think this would be a candidate for Yet Another New Parameter.  We
could either have a parameter to explicitly disable the Domain Users
group, or maybe some generic filtering mechanism where you can specify
group names or rids not to resolve.

Looking at it perhaps the second option seems a bit complicated.

> In the attached patches I also disabled enumeration of domain
> users and groups in winbindd_list_users() and winbindd_list_groups()
> depending on parameters "winbind enum users" and "winbind enum groups".
> It's done the same way as in winbindd_setpwent() and winbindd_setgrent().

The winbind enum users/groups parameter deliberately doesn't stop wbinfo
from listing the groups so there is at least one way to enumerate users
and groups.  

The fact that a client disconnecting doesn't stop winbindd is a bug in 
winbindd but I think it will be hard to fix properly.


More information about the samba-technical mailing list