Radically trim down winbind?

Fri Nov 4 08:16:22 UTC 2016

On Friday, 4 November 2016 09:07:45 CET Volker Lendecke wrote:
> On Fri, Nov 04, 2016 at 08:47:57AM +0100, Andreas Schneider wrote:
> > > 1. Enumerating users and groups: I can see one scenario where this could
> > > 
> > >    possibly work, and that is on a DC for the local domain. Everything
> > >    else is just prone to fail, because we don't have the privileges to
> > >    enumerate things or we can't reach DC's or a thousand other reasons
> > >    like timeouts in huge domains.
> > 
> > Do you mean 'getent passwd' enumeration or do you mean 'wbinfo -u'.
> > At least I
> > find 'wbinfo -u' useful, which I changed the default some time ago. It
> > only
> > enumerates our own domain by default.
> 
> I mean both. Even wbinfo -u can be very tough regarding load. If I talk to
> people dealing with AD every day, Microsoft wants people to consolidate
> domains and reduce the number of trusts. This means that domains will
> grow. You don't want to list 100k users via winbind. Ever. As Uri said,
> we might need some easy replacement that *might* grab the machine account
> password and try what winbind does today, but this is an add-on.

I'm fine if we can provide a replacement. I think some people still find it 
useful. At least those with small domains or myself as a developer ...

> 
> > Yes, that's what I'm voting for since a long time. I think that the 'id'
> > command without a samlogon cache should only return the uid and the
> > primary
> > gid and nothing else. It is really confusing because our users think these
> > information are correct which are returned right now!
> 
> Ok, sold on that one? :-)

Go ahead.

I would wait till Monday that more people can comment. Then propose a patch.

:)

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org