Radically trim down winbind?
Volker Lendecke
vl at samba.org
Fri Nov 4 12:16:10 UTC 2016
On Fri, Nov 04, 2016 at 11:50:37AM +0000, Rowland Penny wrote:
> On Fri, 4 Nov 2016 12:44:46 +0100
> Volker Lendecke <vl at samba.org> wrote:
>
> > On Fri, Nov 04, 2016 at 10:56:37AM +0000, Rowland Penny wrote:
> > > > Yes, and that purpose is just a wrong use. Even for 50 users. We
> > > > have wbinfo -t, wbinfo --ping-dc and other tests like wbinfo -n
> > > > domain\\administrator. What we could do is move the complex logic
> > > > to list users into the wbinfo binary if this is such a critical
> > > > feature to have under the wbinfo command. Alternatively we can
> > > > provide a descriptive message to use wbinfo --ping-dc when
> > > > someone types in wbinfo -u. Or turn wbinfo -u/-g into wbinfo
> > > > --ping-dc if people are so used to typing wbinfo -u to test DC
> > > > connectivity.
> > >
> > > It is not that people are used to typing 'wbinfo -u', it is that
> > > just about every 'howto create a DC' out there on the internet
> > > tells you to do this ;-)
> >
> > On the DC itself the story for the locally hosted users is completely
> > different. There we have access to the right credentials, we could
> > even access sam.ldb if we wanted to (do we? ;-)). It is Samba as a
> > member or a trusting dc that should not enumerate anything remotely.
> >
> > Volker
>
> Oh dear, just checked this page on the wiki:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
...
> So, even we are doing this.
... not anymore :-)
The section on "getent passwd" needs modification too I guess.
Volker
More information about the samba-technical
mailing list