FIxed [was Re: Authentication through transitive trusts]
Gerald (Jerry) Carter
jerry at samba.org
Thu Aug 7 05:28:18 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, 2 Aug 2003, Ken Cross wrote:
> Jerry:
>
> >
> > > We have a customer with 650+ domains. Clearly, enumerating
> > all those
> > > suckers will be painful. But if we join a "resource" domain, we'd
> > > want to be able to authenticate against an "authentication" domain
> > > (that has all the user accounts).
> >
> > You really need to set 'winbind enumerate users = no" in this
> > case. Same thing for groups.
> >
> > It would be an easy change to make winbindd only enumerate
> > users from our
> > local domain as in 'getent passwd' or even for wbinfo -u. See
> > winbindd_setpwent().
>
> We already have "winbind enum users = no" set everywhere, but that doesn't
> affect "wbinfo -u". (Ditto for groups). For large forests, that's going to
> be a Big Problem.
>
> How 'bout we add a switch to wbinfo (and appropriate support in winbindd) to
> limit the list on -u or -g to the domain we have joined, or some specific
> domain. Maybe --domain=<domain-name> (with something like "." for the
> domain we joined)?
why are you running 'wbinfo -u'? What purpose does it serve other than
debugging? Are you piping the users to another program?
jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE/MeNyIR7qMdg1EfYRAvXAAJ9Jvyq6vop+KYIDxpQ36R6OUpHHHACgoSJX
KVvmeCHbB2A5XJARbQN4STY=
=4YHN
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list