3.0: access to listing groups/speed of listing users

Andrew Bartlett abartlet at samba.org
Mon Apr 7 00:40:59 GMT 2003

On Mon, 2003-04-07 at 05:10, Dariush Forouher wrote:
> Hi,
> I've set up successfully group mapping in LDAP, but I experience one
> problem: Only root can get a list of groups from samba.
> If I try this with an ordinary user, I get an empty list of groups
> through win2k security settings or an error message through usrmgr ("Der
> Stub erhielt falsche Daten").
> smbd logs this:
> [2003/04/06 19:54:12, 0] passdb/pdb_ldap.c:ldapsam_open(435)
>   ldapsam_open: cannot access LDAP when not root..
> [2003/04/06 19:54:12, 0] passdb/pdb_ldap.c:ldapsam_retry_open(509)
>   Connection to LDAP Server failed for the 1 try!
> [2003/04/06 19:54:12, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2567)
>   LDAP search failed: Insufficient access
> [2003/04/06 19:54:12, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2629)
>   Unable to open passdb
> [2003/04/06 19:54:12, 1] rpc_server/srv_samr_nt.c:load_group_domain_entries(305)
>   load_group_domain_entries: pdb_enum_group_mapping() failed!
> If I define NO_LDAP_SECURITY in pdb_ldap.c, win2k and `net rpc group`
> display the groups (But I hope there is another solution beside enabling
> such a dangerous sounding switch ;).
> Usermgr displays them too, but ordinary users now cannot view the
> details of an user or a group ("Access denied...").

Yes, we need to work on this.

> Another thing:
> usrmgr needs about 5 sec. to display about 800 users&groups.
> Win2k (security settings of a file) needs nearly 30 secs until it has
> the complete list! log.smbd shows that samba is fetching the users list
> _five_ time for win2k against one time for usrmgr. This is a really
> large difference, so are here any possibilities to reduce the durage?

Try adding indexes to your ldap directory.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030407/c08ff0f8/attachment.bin

More information about the samba-technical mailing list