[Samba] Samba 3, member of ADS, new trust between small ADS and large one

Alan Munter alan.munter at nist.gov
Tue Feb 8 18:45:48 GMT 2005

We have been running a few Linux machines (FC2) as members of our Win2k3
Active Directory domain.  They were all humming along fine using winbind
for logins and ldap on a local server for the SID->UID/GID mappings.

Things seem to have changed, however, when a one-way trust was set up
between our small AD domain and a much larger one.  The trust was set up
to allow members of the larger domain sit down at our computers and
login, however, it seems that now winbind or ldap or both are choking on
the ~3500 new people.

>From a Samba linux member of the domain:

wbinfo -t works
wbinfo -u works most of the time, but is sometimes slow at getting
started and fast at printing all 3500 names once it starts
wbinfo -g same as wbinfo -u

getent password frequently hangs after listing the local /etc/password
contents and when it does go on it seems to get incrementally further in
the list of 3500 people before it finally timesout each time I run it

getent group works with many fewer entries

So my question is, what is going on and what can I do to help the
situation?  I actually would like to just deny the logins from the
larger domain from logging in to the Samba ADS domain computers, but
perhaps this is not possible with the trust set up between the Win2k3
domains.  Is the bottleneck our ldap server, or is there some
artifically configured maximum result size coming from a basically
default install of openldap?

Thanks in advance for any help.


More information about the samba mailing list