FIxed [was Re: Authentication through transitive trusts]

Gerald (Jerry) Carter jerry at
Thu Aug 7 05:28:18 GMT 2003

Hash: SHA1

On Sat, 2 Aug 2003, Ken Cross wrote:

> Jerry:
> >  
> > > We have a customer with 650+ domains.  Clearly, enumerating 
> > all those 
> > > suckers will be painful.  But if we join a "resource" domain, we'd 
> > > want to be able to authenticate against an "authentication" domain 
> > > (that has all the user accounts).
> > 
> > You really need to set 'winbind enumerate users = no" in this 
> > case. Same thing for groups.
> > 
> > It would be an easy change to make winbindd only enumerate 
> > users from our 
> > local domain as in 'getent passwd'  or even for wbinfo -u.  See 
> > winbindd_setpwent().
> We already have "winbind enum users = no" set everywhere, but that doesn't
> affect "wbinfo -u".  (Ditto for groups).  For large forests, that's going to
> be a Big Problem.
> How 'bout we add a switch to wbinfo (and appropriate support in winbindd) to
> limit the list on -u or -g to the domain we have joined, or some specific
> domain.  Maybe --domain=<domain-name> (with something like "." for the
> domain we joined)?

why are you running 'wbinfo -u'?  What purpose does it serve other than 
debugging?  Are you piping the users to another program?

Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see


More information about the samba-technical mailing list