Restrict Winbind enumeration to specific OU?
Justin Maggard
jmaggard at infrant.com
Wed Oct 25 03:12:07 GMT 2006
Gerald (Jerry) Carter wrote:
> Justin Maggard wrote:
>
>> From what I've seen, using winbind in a large
>> corporate ADS environment tends to lead to a lot of
>> memory and CPU usage, which can be pretty
>> hardon an old system or an embedded system running
>> Samba. In many situations, it would be nice to
>> be able to limit winbind to one or more
>> specific OUs. Has any work been done to this end?
>>
>
> I used to think this was a good idea. But after you
> think about, one realizes that it won't work in general
> if you restrict both users and groups. Perhaps we could get
> around by only restricting users to an OU. But no one
> has tried yet that I know.
>
> In general, disabling 'winbind enum {users,groups}' lessens
> much of the pain in large environments.
>
> cheers, jerry
Hmm, I think the idea of restricting only users to an OU would be a
great benefit in some cases. Setting winbind enum * = 0 certainly does
help some, but it would be great to be able to do either/both. Does
anyone know of a way to set things up from the Windows side so that the
Samba machine would only have access to a single OU?
- Justin
More information about the samba-technical
mailing list