AD attributes queried by 'id DOMAIN/user'
C.J. Adams-Collier KF7BMP
cjac at colliertech.org
Wed May 29 14:34:29 MDT 2013
On Wed, 2013-05-29 at 07:28 +0200, Andreas Schneider wrote:
> On Tuesday 28 May 2013 10:24:12 C.J. Adams-Collier KF7BMP wrote:
> > Hey folks,
> >
> > We're experiencing some long delays getting responses back from winbind
> > via nsswitch. Do any of you know off the top of your head which AD
> > attributes are being queried by id via nsswitch? I could walk through
> > nss_winbind_linux.c with gdb, but that doesn't sound like a fun way to
> > spend my day.
>
> Take a look at:
>
> https://blog.cryptomilk.org/2012/11/08/understanding-winbind/
Thank you sir. That was exactly what I needed.
It looks like the getgroups call is the one that's blocking. If I could
tell winbind to pass a objectCategory=group filter as well as
objectSid=<...> when performing group lookup queries, this would
substantially reduce the search domain. But I'm not an LDAP hero, so
this may not be what I should be doing.
Cheers,
C.J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130529/3d7553bf/attachment-0001.pgp>
More information about the samba-technical
mailing list