Radically trim down winbind?
abartlet at samba.org
Fri Nov 4 19:25:23 UTC 2016
On Fri, 2016-11-04 at 14:39 +0100, Volker Lendecke wrote:
> I have a customer with a piece of software that does wbinfo -u at
> least once a day for auditing purposes. I was not aware that this was
> happening until this software was installed in a domain with a few
> thousand users (so large, but not huge). In their lab with the test
> infrastructure it worked fine, but the customer is bitterly
> complaining about outages once a day. It took a while to even find
> wbinfo -u process and where it came from. This wbinfo -u is so deeply
> embedded into the auditing software that they now have to live with
> the outages. Had wbinfo -u not existed in this form, they would have
> gotten to a much better solution earlier: Ask for users on demand as
> they access the system.
This is the clincher for me.
For a non-samba developer/integrator, wbinfo -u is really, really easy
to use. But it is a land-mine if it is going to block the rest of the
What the developer/integrator wants is a tool that:
- talks to the currently associated DC
- uses the machine account credentials
- produces a list of users/groups
None of these things mean the actual data, 100k of names, needs to flow
past winbindd. And that we don't currently spin off a dedicated
process makes it a nightmare.
I think at one point we cached this, but caches are dangerous at the
best of times, they get worse the more they are needed :-)
We have perfectly good C and python user-space programs that can handle
this, perhaps they could ask winbindd for the current DC to talk to if
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical