Radically trim down winbind?
vl at samba.org
Fri Nov 4 11:44:46 UTC 2016
On Fri, Nov 04, 2016 at 10:56:37AM +0000, Rowland Penny wrote:
> > Yes, and that purpose is just a wrong use. Even for 50 users. We
> > have wbinfo -t, wbinfo --ping-dc and other tests like wbinfo -n
> > domain\\administrator. What we could do is move the complex logic to
> > list users into the wbinfo binary if this is such a critical feature
> > to have under the wbinfo command. Alternatively we can provide a
> > descriptive message to use wbinfo --ping-dc when someone types in
> > wbinfo -u. Or turn wbinfo -u/-g into wbinfo --ping-dc if people are
> > so used to typing wbinfo -u to test DC connectivity.
> It is not that people are used to typing 'wbinfo -u', it is that just
> about every 'howto create a DC' out there on the internet tells you to
> do this ;-)
On the DC itself the story for the locally hosted users is completely
different. There we have access to the right credentials, we could
even access sam.ldb if we wanted to (do we? ;-)). It is Samba as a
member or a trusting dc that should not enumerate anything remotely.
More information about the samba-technical