Radically trim down winbind?

Volker Lendecke vl at samba.org
Fri Nov 4 10:37:24 UTC 2016 

On Fri, Nov 04, 2016 at 10:24:15AM +0100, Stefan Kania wrote:
> How many installations with 100k users you have? How many
> installations with less then 500 users you have. You alway keep in
> mind that samba is used in many different environments. So "wbinfo
> - -u/-g" is used very often to see, if the connection to the DC is
> working. The two parameters "winbind enum users/grougs" can be removed
> it's not a very good to list users and groups even with 500 users.

Yes, and that purpose is just a wrong use. Even for 50 users. We
have wbinfo -t, wbinfo --ping-dc and other tests like wbinfo -n
domain\\administrator. What we could do is move the complex logic to
list users into the wbinfo binary if this is such a critical feature to
have under the wbinfo command. Alternatively we can provide a descriptive
message to use wbinfo --ping-dc when someone types in wbinfo -u. Or turn
wbinfo -u/-g into wbinfo --ping-dc if people are so used to typing wbinfo
-u to test DC connectivity.

I am happy to provide a net ads search shortcut to list users and
groups, assuming it does not exist yet. I just believe this
functionality does not belong into winbind.

The deeper reason why I want this out is:

We need to get rid of the internal winbind domain list. We can not rely
on being able to enumerate all trusts. On a member, we have one domain we
can reliably connect to. On a DC, we have a fixed list of explicit
outgoing trusts that we know about locally. That's it.

RFC2307 attributes in a trusted domain is the only valid reason to
connect to a trusted DC from a member, and that one has already been
liberated from depending on enumerating trusts.

User/group enumeration and trying to get group memberships are the big
ones that right now look at that list. We *could* of course try to
mimick that on-demand without listing trusts, but this is a lot of
effort for something that we can't ever make work reliably, just
because Windows clients don't do it.

> > We already have replacements: samba-tool user list and samba-tool
> > group list
> On a DC but not on a member. Yes you can always do an ssh to the DC
> but it will not show if all users are visible on the member. In bigger
> installations the admins responsible for the fileserver not even have
> the possibility to do an ssh to the DC because someone else is
> responsible for the DCs.
> The same with the ldb-tools, I don't want to install the ldb-tool on
> all memberservers.

Look at the Windows GUI: You have a search window where you can
validate users. By default Windows will only list the first 2000
users, for a good reason. Even a Windows member does not have the
ability to list all users in the domain(s). Maybe we can find a good
description on the Microsoft websites as to why they cut it and point
our users at it.

Volker

More information about the samba-technical mailing list