[Samba] ADS 2008 configuration

[Matthieu Patou]

On 04/02/2011 17:31, Robert Freeman-Day wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/03/2011 08:54 AM, Inder wrote:
>> Hi,
>>
>> I am Inderjit, and have some issues with configuration of samba with ADS 2008.
>>
>> I am able to connect to ADS 2008, but command "getent group" doesn't show always the output with ADS groups. We have more that 25000 users and domain controller is not located at same location.
>>
>> Could you please give me a hints or suggestions, what can be changed to solve this issue.
>>
>> Regards
>> Inderjit
> We have a large AD deployment as well.  I hope that someone in the
> developer group can speak to this with authority, but I theorize that
> there is a timeout implemented in a generalized query that broad.
> Remember, you are asking for a listing of ALL groups in your AD
> controller.  I can't even get Active Directory Users and Computers nor
> Powershell commands to output every group.
>
Exact, the man page of smb.conf says:
"       winbind enum groups (G)

            On large installations using winbindd(8) it may be necessary 
to suppress the enumeration of groups through the setgrent(), getgrent() and
            endgrent() group of system calls. If the winbind enum groups 
parameter is no, calls to the getgrent() system call will not return any 
data.

                Warning
                Turning off group enumeration may cause some programs to 
behave oddly.
            Default: winbind enum groups = no
"
Matthieu

-- 
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary