AD attributes queried by 'id DOMAIN/user'

C.J. Adams-Collier KF7BMP cjac at colliertech.org
Wed May 29 14:34:29 MDT 2013


On Wed, 2013-05-29 at 07:28 +0200, Andreas Schneider wrote:
> On Tuesday 28 May 2013 10:24:12 C.J. Adams-Collier KF7BMP wrote:
> > Hey folks,
> > 
> > We're experiencing some long delays getting responses back from winbind
> > via nsswitch.  Do any of you know off the top of your head which AD
> > attributes are being queried by id via nsswitch?  I could walk through
> > nss_winbind_linux.c with gdb, but that doesn't sound like a fun way to
> > spend my day.
> 
> Take a look at:
> 
> https://blog.cryptomilk.org/2012/11/08/understanding-winbind/

Thank you sir.  That was exactly what I needed.

It looks like the getgroups call is the one that's blocking.  If I could
tell winbind to pass a objectCategory=group filter as well as
objectSid=<...> when performing group lookup queries, this would
substantially reduce the search domain.  But I'm not an LDAP hero, so
this may not be what I should be doing.

Cheers,

C.J.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130529/3d7553bf/attachment-0001.pgp>


More information about the samba-technical mailing list