my trip to a big win2k/wk3 forest

[Volker.Lendecke at SerNet.DE]

On Tue, Oct 19, 2004 at 11:55:57AM -0300, Andreas wrote:
> network traffic went through the roof. It turns out KDE was enumerating all
> groups via getgrent in order to present the user with a nice dialog box with

This behaviour is broken by design. Notice the change in user admin tools from
Windows NT to Windows 2000: usrmgr.exe would list *all* users, mmc gives up
after a server-defined limit, but it does give you nice and handy search
capabilities.

> Now, a question more about the windows side of this. How does a windows 2k
> client behave in this scenario when one wants, for example, to give
> permission to a user from another domain? Does it contact the AD server for
> that domain to retrieve the user list or does it contact the local AD server
> and expect it to fetch this user list? From my observations, it seems samba
> would try to contact all AD servers it could.

It has to contact the foreign DC for a user list. The only thing the local DC
can do is translate sid to names and vice versa, and authenticate remote users.
Listing users, querying group memberships etc can't be proxied via "our" DC.

> So, executive summary: - I think setting "winbind trusted domains only = yes"

Another workaround might be 'winbind enum users = no' and 'winbind enum groups
= no'. No winbind users at all in the listing, but full authentication
capabilities. If you explicitly ask for remote users, the corresponding nss
entries are still returned. getpwnam() and friends still work, only listing
stuff is prohibited for good reason. Your graphical application however would
have to give you the opportunity to explicitly look up a user. In all relevant
dialogues.

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20041021/f93ecca5/attachment.bin