Radically trim down winbind?

Fri Nov 4 09:24:15 UTC 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 04.11.2016 um 10:00 schrieb Rowland Penny:
> On Fri, 04 Nov 2016 09:16:22 +0100 Andreas Schneider
> <asn at samba.org> wrote:
> 
>> On Friday, 4 November 2016 09:07:45 CET Volker Lendecke wrote:
>>> On Fri, Nov 04, 2016 at 08:47:57AM +0100, Andreas Schneider
>>> wrote:
>>>>> 1. Enumerating users and groups: I can see one scenario
>>>>> where this could
>>>>> 
>>>>> possibly work, and that is on a DC for the local domain. 
>>>>> Everything else is just prone to fail, because we don't
>>>>> have the privileges to enumerate things or we can't reach
>>>>> DC's or a thousand other reasons like timeouts in huge
>>>>> domains.
>>>> 
>>>> Do you mean 'getent passwd' enumeration or do you mean
>>>> 'wbinfo -u'. At least I find 'wbinfo -u' useful, which I
>>>> changed the default some time ago. It only enumerates our own
>>>> domain by default.
>>> 
>>> I mean both. Even wbinfo -u can be very tough regarding load.
>>> If I talk to people dealing with AD every day, Microsoft wants
>>> people to consolidate domains and reduce the number of trusts.
>>> This means that domains will grow. You don't want to list 100k
>>> users via winbind. Ever. As Uri said, we might need some easy
>>> replacement that *might* grab the machine account password and
>>> try what winbind does today, but this is an add-on.
How many installations with 100k users you have? How many
installations with less then 500 users you have. You alway keep in
mind that samba is used in many different environments. So "wbinfo
- -u/-g" is used very often to see, if the connection to the DC is
working. The two parameters "winbind enum users/grougs" can be removed
it's not a very good to list users and groups even with 500 users.

>> 
>> I'm fine if we can provide a replacement. I think some people
>> still find it useful. At least those with small domains or myself
>> as a developer ...
> 
> We already have replacements: samba-tool user list and samba-tool
> group list
On a DC but not on a member. Yes you can always do an ssh to the DC
but it will not show if all users are visible on the member. In bigger
installations the admins responsible for the fileserver not even have
the possibility to do an ssh to the DC because someone else is
responsible for the DCs.
The same with the ldb-tools, I don't want to install the ldb-tool on
all memberservers.
> 
>> 
>>> 
>>>> Yes, that's what I'm voting for since a long time. I think
>>>> that the 'id' command without a samlogon cache should only
>>>> return the uid and the primary gid and nothing else.
Agree
>>>> It is really confusing because our users think these
>>>> information are correct which are returned right now!
>>> 
>>> Ok, sold on that one? :-)
>> 
>> Go ahead.
>> 
>> 
>> I would wait till Monday that more people can comment. Then
>> propose a patch.
>> 
>> :)
>> 
>> 
> 
> Never put off till tomorrow what you can do today ;-)
> 
> Rowland
> 

- -- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn

Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlgcU78ACgkQ2JOGcNAHDTa+IQCfUsB62S/1Qdu66jqHtcHfR8Ub
yU8AoOFD+C6rEZNwPw5+DKtPAkiyudHj
=NeX7
-----END PGP SIGNATURE-----