Radically trim down winbind?
Volker Lendecke
vl at samba.org
Fri Nov 4 08:07:45 UTC 2016
On Fri, Nov 04, 2016 at 08:47:57AM +0100, Andreas Schneider wrote:
> > 1. Enumerating users and groups: I can see one scenario where this could
> > possibly work, and that is on a DC for the local domain. Everything
> > else is just prone to fail, because we don't have the privileges to
> > enumerate things or we can't reach DC's or a thousand other reasons
> > like timeouts in huge domains.
>
> Do you mean 'getent passwd' enumeration or do you mean 'wbinfo -u'.
> At least I
> find 'wbinfo -u' useful, which I changed the default some time ago. It only
> enumerates our own domain by default.
I mean both. Even wbinfo -u can be very tough regarding load. If I talk to
people dealing with AD every day, Microsoft wants people to consolidate
domains and reduce the number of trusts. This means that domains will
grow. You don't want to list 100k users via winbind. Ever. As Uri said,
we might need some easy replacement that *might* grab the machine account
password and try what winbind does today, but this is an add-on.
> Yes, that's what I'm voting for since a long time. I think that the 'id'
> command without a samlogon cache should only return the uid and the primary
> gid and nothing else. It is really confusing because our users think these
> information are correct which are returned right now!
Ok, sold on that one? :-)
Volker
More information about the samba-technical
mailing list