Re: [Samba] winbind enum = yes ... oreilly samba books says turn off ... but things break. confused :-(
Hi, Jerry! On Wed, Aug 15, 2007 at 03:41:54PM -0500, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wilkinson, Alex wrote: In the Oreilly Using Samba book pg 292 it is recommended to turn off Winbindd(8) user and group enumeration (very expensive operation). However, when doing this on FreeBSD -CURRENT the groups that users are in are not recognised. If this is true, then it is a really bad design in FreeBSD. Timur, can you confirm this? Does FreeBSD rely on set/get/endgrent to to get group memberships? What do you mean exactly under get group memberships? I think, that if to scratch any of the group related functions, you'll find *grent functions underneath, in FreeBSD at least. I assume, you reffer to the getgrouplist(3). It's man page says: BUGS The getgrouplist() function uses the routines based on getgrent(3). If the invoking program uses any of these routines, the group structure will be overwritten in the call to getgrouplist(). Another function, getgroups(2), seems, doesn't have such a comment in the man page, but I can't really imagine, where else it can get user group list information. At the top of it, although passwd is shadowed in FreeBSD and stored in BerkeleyDB file, group is just a plain text file(or ldap, or nis) - in all cases *grent functions are called. I thought, that Linux has similar approach, but from your question it seems it's not. Can you give more details, please? with best regards, Timur. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind enum = yes ... oreilly samba books says turn off ... but things break. confused :-(
On Fri, Aug 17, 2007 at 03:39:33AM +0200, Timur I. Bakeyev wrote: BUGS The getgrouplist() function uses the routines based on getgrent(3). If the invoking program uses any of these routines, the group structure will be overwritten in the call to getgrouplist(). If getgrouplist really finds group members by doing the setgrent/getgrent/endgrent thing, then you're screwed. You just can't use FreeBSD as a member of large domains. I've seen a domain where domain users has more than 100.000 users, and doing getgrent on that one takes ages. This domain has other huge groups. Another function, getgroups(2), seems, doesn't have such a comment in the man page, but I can't really imagine, where else it can get user group list information. getgroups(2) at least under Linux that fetches the group list from the kernel. Someone must have put them there with setgroups(2) first, so this is no help. I thought, that Linux has similar approach, but from your question it seems it's not. Can you give more details, please? Linux has an nss extension called initgroups that exactly asks the right question: What are the groups for this user?. It does not delegate this to the login application which just would have to fall back to getgrent. Volker pgpQbHGM9A9m4.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind enum = yes ... oreilly samba books says turn off ... but things break. confused :-(
Hi all, In the Oreilly Using Samba book pg 292 it is recommended to turn off Winbindd(8) user and group enumeration (very expensive operation). However, when doing this on FreeBSD -CURRENT the groups that users are in are not recognised. When I enable user and group enumeration group permissions work (at least for the first 16 groups) i.e. via chown(1). So my question is: From peoples' experience what do you do ? Turn enum on or off ? And do you experience the same problem I do ? Or is this just a FreeBSD issue ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind enum = yes ... oreilly samba books says turn off ... but things break. confused :-(
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wilkinson, Alex wrote: Hi all, In the Oreilly Using Samba book pg 292 it is recommended to turn off Winbindd(8) user and group enumeration (very expensive operation). However, when doing this on FreeBSD -CURRENT the groups that users are in are not recognised. When I enable user and group enumeration group permissions work (at least for the first 16 groups) i.e. via chown(1). So my question is: From peoples' experience what do you do ? Turn enum on or off ? And do you experience the same problem I do ? Or is this just a FreeBSD issue ? If this is true, then it is a really bad design in FreeBSD. Timur, can you confirm this? Does FreeBSD rely on set/get/endgrent to to get group memberships? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGw2USIR7qMdg1EfYRAvtbAJwLOdTiaHEZ5K/mPtQM+hbWl2YYCwCgrbaY H/tswsQvQKiIucK3xPlZHNc= =8UGD -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba