Radically trim down winbind?

Rowland Penny repenny241155 at gmail.com
Fri Nov 4 09:00:19 UTC 2016


On Fri, 04 Nov 2016 09:16:22 +0100
Andreas Schneider <asn at samba.org> wrote:

> On Friday, 4 November 2016 09:07:45 CET Volker Lendecke wrote:
> > On Fri, Nov 04, 2016 at 08:47:57AM +0100, Andreas Schneider wrote:
> > > > 1. Enumerating users and groups: I can see one scenario where
> > > > this could
> > > > 
> > > >    possibly work, and that is on a DC for the local domain.
> > > > Everything else is just prone to fail, because we don't have
> > > > the privileges to enumerate things or we can't reach DC's or a
> > > > thousand other reasons like timeouts in huge domains.
> > > 
> > > Do you mean 'getent passwd' enumeration or do you mean 'wbinfo
> > > -u'. At least I
> > > find 'wbinfo -u' useful, which I changed the default some time
> > > ago. It only
> > > enumerates our own domain by default.
> > 
> > I mean both. Even wbinfo -u can be very tough regarding load. If I
> > talk to people dealing with AD every day, Microsoft wants people to
> > consolidate domains and reduce the number of trusts. This means
> > that domains will grow. You don't want to list 100k users via
> > winbind. Ever. As Uri said, we might need some easy replacement
> > that *might* grab the machine account password and try what winbind
> > does today, but this is an add-on.
> 
> I'm fine if we can provide a replacement. I think some people still
> find it useful. At least those with small domains or myself as a
> developer ...

We already have replacements: samba-tool user list and samba-tool group
list

> 
> > 
> > > Yes, that's what I'm voting for since a long time. I think that
> > > the 'id' command without a samlogon cache should only return the
> > > uid and the primary
> > > gid and nothing else. It is really confusing because our users
> > > think these information are correct which are returned right now!
> > 
> > Ok, sold on that one? :-)
> 
> Go ahead.
> 
> 
> I would wait till Monday that more people can comment. Then propose a
> patch.
> 
> :)
> 
> 

Never put off till tomorrow what you can do today ;-)

Rowland



More information about the samba-technical mailing list