FIxed [was Re: Authentication through transitive trusts]

Ken Cross kcross at
Sat Aug 2 23:14:59 GMT 2003


> > We have a customer with 650+ domains.  Clearly, enumerating 
> all those 
> > suckers will be painful.  But if we join a "resource" domain, we'd 
> > want to be able to authenticate against an "authentication" domain 
> > (that has all the user accounts).
> You really need to set 'winbind enumerate users = no" in this 
> case. Same thing for groups.
> It would be an easy change to make winbindd only enumerate 
> users from our 
> local domain as in 'getent passwd'  or even for wbinfo -u.  See 
> winbindd_setpwent().

We already have "winbind enum users = no" set everywhere, but that doesn't
affect "wbinfo -u".  (Ditto for groups).  For large forests, that's going to
be a Big Problem.

How 'bout we add a switch to wbinfo (and appropriate support in winbindd) to
limit the list on -u or -g to the domain we have joined, or some specific
domain.  Maybe --domain=<domain-name> (with something like "." for the
domain we joined)?


Ken Cross

Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at 

More information about the samba-technical mailing list