FIxed [was Re: Authentication through transitive trusts]
Ken Cross
kcross at nssolutions.com
Sat Aug 2 23:14:59 GMT 2003
Jerry:
>
> > We have a customer with 650+ domains. Clearly, enumerating
> all those
> > suckers will be painful. But if we join a "resource" domain, we'd
> > want to be able to authenticate against an "authentication" domain
> > (that has all the user accounts).
>
> You really need to set 'winbind enumerate users = no" in this
> case. Same thing for groups.
>
> It would be an easy change to make winbindd only enumerate
> users from our
> local domain as in 'getent passwd' or even for wbinfo -u. See
> winbindd_setpwent().
We already have "winbind enum users = no" set everywhere, but that doesn't
affect "wbinfo -u". (Ditto for groups). For large forests, that's going to
be a Big Problem.
How 'bout we add a switch to wbinfo (and appropriate support in winbindd) to
limit the list on -u or -g to the domain we have joined, or some specific
domain. Maybe --domain=<domain-name> (with something like "." for the
domain we joined)?
Ken
________________________________
Ken Cross
Network Storage Solutions
Phone 865.675.4070 ext 31
kcross at nssolutions.com
More information about the samba-technical
mailing list