Radically trim down winbind?
L.P.H. van Belle
belle at bazuin.nl
Fri Nov 4 10:32:50 UTC 2016
> -----Oorspronkelijk bericht-----
> Van: samba-technical [mailto:samba-technical-bounces at lists.samba.org]
> Namens Rowland Penny
> Verzonden: vrijdag 4 november 2016 11:16
> Aan: samba-technical at lists.samba.org
> Onderwerp: Re: Radically trim down winbind?
> On Fri, 4 Nov 2016 10:24:15 +0100
> Stefan Kania <stefan at kania-online.de> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > Am 04.11.2016 um 10:00 schrieb Rowland Penny:
> > > On Fri, 04 Nov 2016 09:16:22 +0100 Andreas Schneider
> > > <asn at samba.org> wrote:
> > >
> > >> On Friday, 4 November 2016 09:07:45 CET Volker Lendecke wrote:
> > >>> On Fri, Nov 04, 2016 at 08:47:57AM +0100, Andreas Schneider
> > >>> wrote:
> > >>>>> 1. Enumerating users and groups: I can see one scenario
> > >>>>> where this could
> > >>>>>
> > >>>>> possibly work, and that is on a DC for the local domain.
> > >>>>> Everything else is just prone to fail, because we don't
> > >>>>> have the privileges to enumerate things or we can't reach
> > >>>>> DC's or a thousand other reasons like timeouts in huge
> > >>>>> domains.
> > >>>>
> > >>>> Do you mean 'getent passwd' enumeration or do you mean
> > >>>> 'wbinfo -u'. At least I find 'wbinfo -u' useful, which I
> > >>>> changed the default some time ago. It only enumerates our own
> > >>>> domain by default.
> > >>>
> > >>> I mean both. Even wbinfo -u can be very tough regarding load.
> > >>> If I talk to people dealing with AD every day, Microsoft wants
> > >>> people to consolidate domains and reduce the number of trusts.
> > >>> This means that domains will grow. You don't want to list 100k
> > >>> users via winbind. Ever. As Uri said, we might need some easy
> > >>> replacement that *might* grab the machine account password and
> > >>> try what winbind does today, but this is an add-on.
> > How many installations with 100k users you have? How many
> > installations with less then 500 users you have. You alway keep in
> > mind that samba is used in many different environments. So "wbinfo
> > - -u/-g" is used very often to see, if the connection to the DC is
> > working. The two parameters "winbind enum users/grougs" can be removed
> > it's not a very good to list users and groups even with 500 users.
> > >>
> > >> I'm fine if we can provide a replacement. I think some people
> > >> still find it useful. At least those with small domains or myself
> > >> as a developer ...
> > >
> > > We already have replacements: samba-tool user list and samba-tool
> > > group list
> > On a DC but not on a member.
> It works on my domain member:
> rowland at devstation:~$ samba-tool user list -H ldap://member1 -k yes
> Password for [rowland at SAMDOM.EXAMPLE.COM]:
Hai, small intrusion in this thread..
I used the same command as you Rowland, but without smbd running..
only winbindd, for my proxy auth fallback.
It errors, but this is wrong, everything works correctly.
And all wbinfo test works fine.
The error output. ( and this can be a "debian" thing ) im just imforming you guys.
I'll check this afternoon with a samba 4.5.1 build. ( this was 4.4.5 )
ldb: unable to stat module /usr/lib/x86_64-linux-gnu/samba/ldb : No such file or directory
Unable to find backend for 'http://memberserverx - do you need to set LDB_MODULES_PATH?
ERROR(ldb): uncaught exception - Failed to load modules from: /usr/lib/x86_64-linux-gnu/samba/ldb
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 286, in run
File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 57, in __init__
File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 115, in __init__
self.connect(url, flags, options)
File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 72, in connect
More information about the samba-technical