Radically trim down winbind?
Andreas Schneider
asn at samba.org
Fri Nov 4 08:16:22 UTC 2016
On Friday, 4 November 2016 09:07:45 CET Volker Lendecke wrote:
> On Fri, Nov 04, 2016 at 08:47:57AM +0100, Andreas Schneider wrote:
> > > 1. Enumerating users and groups: I can see one scenario where this could
> > >
> > > possibly work, and that is on a DC for the local domain. Everything
> > > else is just prone to fail, because we don't have the privileges to
> > > enumerate things or we can't reach DC's or a thousand other reasons
> > > like timeouts in huge domains.
> >
> > Do you mean 'getent passwd' enumeration or do you mean 'wbinfo -u'.
> > At least I
> > find 'wbinfo -u' useful, which I changed the default some time ago. It
> > only
> > enumerates our own domain by default.
>
> I mean both. Even wbinfo -u can be very tough regarding load. If I talk to
> people dealing with AD every day, Microsoft wants people to consolidate
> domains and reduce the number of trusts. This means that domains will
> grow. You don't want to list 100k users via winbind. Ever. As Uri said,
> we might need some easy replacement that *might* grab the machine account
> password and try what winbind does today, but this is an add-on.
I'm fine if we can provide a replacement. I think some people still find it
useful. At least those with small domains or myself as a developer ...
>
> > Yes, that's what I'm voting for since a long time. I think that the 'id'
> > command without a samlogon cache should only return the uid and the
> > primary
> > gid and nothing else. It is really confusing because our users think these
> > information are correct which are returned right now!
>
> Ok, sold on that one? :-)
Go ahead.
I would wait till Monday that more people can comment. Then propose a patch.
:)
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list