Radically trim down winbind?

Andrew Bartlett abartlet at samba.org
Fri Nov 4 19:25:23 UTC 2016

On Fri, 2016-11-04 at 14:39 +0100, Volker Lendecke wrote:
> I have a customer with a piece of software that does wbinfo -u at
> least once a day for auditing purposes. I was not aware that this was
> happening until this software was installed in a domain with a few
> thousand users (so large, but not huge). In their lab with the test
> infrastructure it worked fine, but the customer is bitterly
> complaining about outages once a day. It took a while to even find
> the
> wbinfo -u process and where it came from. This wbinfo -u is so deeply
> embedded into the auditing software that they now have to live with
> the outages. Had wbinfo -u not existed in this form, they would have
> gotten to a much better solution earlier: Ask for users on demand as
> they access the system.

This is the clincher for me.  

For a non-samba developer/integrator, wbinfo -u is really, really easy
to use.  But it is a land-mine if it is going to block the rest of the

What the developer/integrator wants is a tool that:
 - talks to the currently associated DC
 - uses the machine account credentials
 - produces a list of users/groups

None of these things mean the actual data, 100k of names, needs to flow
past winbindd.  And that we don't currently spin off a dedicated
process makes it a nightmare. 

I think at one point we cached this, but caches are dangerous at the
best of times, they get worse the more they are needed :-)

We have perfectly good C and python user-space programs that can handle
this, perhaps they could ask winbindd for the current DC to talk to if
they like. 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list