Radically trim down winbind?
Rowland Penny
repenny241155 at gmail.com
Fri Nov 4 10:15:40 UTC 2016
On Fri, 4 Nov 2016 10:24:15 +0100
Stefan Kania <stefan at kania-online.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am 04.11.2016 um 10:00 schrieb Rowland Penny:
> > On Fri, 04 Nov 2016 09:16:22 +0100 Andreas Schneider
> > <asn at samba.org> wrote:
> >
> >> On Friday, 4 November 2016 09:07:45 CET Volker Lendecke wrote:
> >>> On Fri, Nov 04, 2016 at 08:47:57AM +0100, Andreas Schneider
> >>> wrote:
> >>>>> 1. Enumerating users and groups: I can see one scenario
> >>>>> where this could
> >>>>>
> >>>>> possibly work, and that is on a DC for the local domain.
> >>>>> Everything else is just prone to fail, because we don't
> >>>>> have the privileges to enumerate things or we can't reach
> >>>>> DC's or a thousand other reasons like timeouts in huge
> >>>>> domains.
> >>>>
> >>>> Do you mean 'getent passwd' enumeration or do you mean
> >>>> 'wbinfo -u'. At least I find 'wbinfo -u' useful, which I
> >>>> changed the default some time ago. It only enumerates our own
> >>>> domain by default.
> >>>
> >>> I mean both. Even wbinfo -u can be very tough regarding load.
> >>> If I talk to people dealing with AD every day, Microsoft wants
> >>> people to consolidate domains and reduce the number of trusts.
> >>> This means that domains will grow. You don't want to list 100k
> >>> users via winbind. Ever. As Uri said, we might need some easy
> >>> replacement that *might* grab the machine account password and
> >>> try what winbind does today, but this is an add-on.
> How many installations with 100k users you have? How many
> installations with less then 500 users you have. You alway keep in
> mind that samba is used in many different environments. So "wbinfo
> - -u/-g" is used very often to see, if the connection to the DC is
> working. The two parameters "winbind enum users/grougs" can be removed
> it's not a very good to list users and groups even with 500 users.
>
> >>
> >> I'm fine if we can provide a replacement. I think some people
> >> still find it useful. At least those with small domains or myself
> >> as a developer ...
> >
> > We already have replacements: samba-tool user list and samba-tool
> > group list
> On a DC but not on a member.
It works on my domain member:
rowland at devstation:~$ samba-tool user list -H ldap://member1 -k yes
Password for [rowland at SAMDOM.EXAMPLE.COM]:
albert
Administrator
rowland
emily
fred
testUser1
dns-MEMBER1
......
....
Rowland
More information about the samba-technical
mailing list