[Samba] "winbind enum = yes" ... oreilly samba books says "turn off" ... but things break. confused :-(

Timur I. Bakeyev timur at com.bat.ru
Fri Aug 17 01:39:33 GMT 2007


Hi, Jerry!

On Wed, Aug 15, 2007 at 03:41:54PM -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Wilkinson, Alex wrote:
> > 
> > In the Oreilly "Using Samba" book pg 292 it is recommended 
> > to turn off Winbindd(8) user and group enumeration (very
> > expensive operation). However, when doing this on
> > FreeBSD -CURRENT the groups that users are in are not recognised.
> > 
> 
> If this is true, then it is a really bad design in
> FreeBSD.  Timur, can you confirm this?  Does FreeBSD
> rely on set/get/endgrent to to get group memberships?

What do you mean exactly under "get group memberships"? I think, that if
to scratch any of the group related functions, you'll find *grent
functions underneath, in FreeBSD at least.

I assume, you reffer to the getgrouplist(3). It's man page says:

BUGS
 The getgrouplist() function uses the routines based on getgrent(3).  If
 the invoking program uses any of these routines, the group structure will
 be overwritten in the call to getgrouplist().

Another function, getgroups(2), seems, doesn't have such a comment in
the man page, but I can't really imagine, where else it can get user
group list information.

At the top of it, although passwd is shadowed in FreeBSD and stored in
BerkeleyDB file, group is just a plain text file(or ldap, or nis) -
in all cases *grent functions are called.

I thought, that Linux has similar approach, but from your question it
seems it's not. Can you give more details, please?

with best regards,
Timur.
	       


More information about the samba mailing list