Radically trim down winbind?

Rowland Penny repenny241155 at gmail.com
Fri Nov 4 10:56:37 UTC 2016


On Fri, 4 Nov 2016 11:37:24 +0100
Volker Lendecke <vl at samba.org> wrote:

> On Fri, Nov 04, 2016 at 10:24:15AM +0100, Stefan Kania wrote:
> > How many installations with 100k users you have? How many
> > installations with less then 500 users you have. You alway keep in
> > mind that samba is used in many different environments. So "wbinfo
> > - -u/-g" is used very often to see, if the connection to the DC is
> > working. The two parameters "winbind enum users/grougs" can be
> > removed it's not a very good to list users and groups even with 500
> > users.
> 
> Yes, and that purpose is just a wrong use. Even for 50 users. We
> have wbinfo -t, wbinfo --ping-dc and other tests like wbinfo -n
> domain\\administrator. What we could do is move the complex logic to
> list users into the wbinfo binary if this is such a critical feature
> to have under the wbinfo command. Alternatively we can provide a
> descriptive message to use wbinfo --ping-dc when someone types in
> wbinfo -u. Or turn wbinfo -u/-g into wbinfo --ping-dc if people are
> so used to typing wbinfo -u to test DC connectivity.

It is not that people are used to typing 'wbinfo -u', it is that just
about every 'howto create a DC' out there on the internet tells you to
do this ;-)

> 
> I am happy to provide a net ads search shortcut to list users and
> groups, assuming it does not exist yet. I just believe this
> functionality does not belong into winbind.

Totally agree with you.

> 
> The deeper reason why I want this out is:
> 
> We need to get rid of the internal winbind domain list. We can not
> rely on being able to enumerate all trusts. On a member, we have one
> domain we can reliably connect to. On a DC, we have a fixed list of
> explicit outgoing trusts that we know about locally. That's it.
> 
> RFC2307 attributes in a trusted domain is the only valid reason to
> connect to a trusted DC from a member, and that one has already been
> liberated from depending on enumerating trusts.
> 
> User/group enumeration and trying to get group memberships are the big
> ones that right now look at that list. We *could* of course try to
> mimick that on-demand without listing trusts, but this is a lot of
> effort for something that we can't ever make work reliably, just
> because Windows clients don't do it.
>

From my perpective, Samba shouldn't do anything that windows doesn't,
except, of course, when it negatively affects Unix.
 
> > > We already have replacements: samba-tool user list and samba-tool
> > > group list
> > On a DC but not on a member. Yes you can always do an ssh to the DC
> > but it will not show if all users are visible on the member. In
> > bigger installations the admins responsible for the fileserver not
> > even have the possibility to do an ssh to the DC because someone
> > else is responsible for the DCs.
> > The same with the ldb-tools, I don't want to install the ldb-tool on
> > all memberservers.
> 
> Look at the Windows GUI: You have a search window where you can
> validate users. By default Windows will only list the first 2000
> users, for a good reason. Even a Windows member does not have the
> ability to list all users in the domain(s). Maybe we can find a good
> description on the Microsoft websites as to why they cut it and point
> our users at it.
> 
> Volker
> 

Thinking about the windows cut off, just image trying to scroll to the
bottom of 100,000 users ;-)

Rowland




More information about the samba-technical mailing list