For local users who definitely are not on the AD domain, winbind shouldn't try to lookup any group memberships. The reason for this is that winbind can hang for a while on a query causing issues for core system services.
For example if NetworkManager is running and has a dispatcher script which tries to run 'smbcontrol winbind offline', NetworkManager may never get to actually fork the script since name lookups are hanging for local system users (e.g. dbus, root). So since winbind still things it's online things will continue to hang for even longer.
To speed things up and make them more reliable, winbind should have something like nss_initgroups_ignoreusers for nss_ldap.
I'd be happy to get started on this if someone could give me a pointer to the best place in the code to insert this sort of thing, and a quicky on adding a configuration parameter. If I don't hear from anyone in a while I'll get started anyway, but it would be nice to have some help :)
Created attachment 4961 [details]
Implementation of winbind initgroups ignoreusers option
This is for 3.3.9 (since that's what I'm working with now), but should hopefully work fine on 3.4.x. It would be really nice if one of the devs could look over it and push it into testing :)
I am going to investigate this and also look at your patch.
Created attachment 4966 [details]
Similar patch for 3.4.3
One issue I have is that implementing this option in winbindd_group.c
still causes a hang when winbindd isn't initialized yet. So it would
be best to be implemented before anything that tries to contact
winbindd, however from what I can tell anything at that level doesn't
have accessibility to the config file to actually read the option.
Therefore in this patch there are actually two items, implementing the
option in winbindd_group.c, and also a hardcoded skipping of "root" in
winbind_nss_linux.c (possibly this should be in a more general place,
but I couldn't find a better place nor a function definition for
_nss_winbind_initgroups_dyn under the other OS implementations). The
second part is because most core stuff is running as root, and it
should be a safe bet that root isn't a member of any group on the
directory service, and even if it was then it wouldn't matter since
root is the superuser and would have access to everything regardless
of group membership. However it would still be best to implement the
user skip checking based on the option alone (without hardcoding
"root") at a level before any attempt at calling winbindd is done.
Just for the record: we had something like this three years ago already:
Can an official release be pushed out for this, please? It would be extremely useful to stop winbind from dealing with specific users groups.
I don't think that we'll ever implement something like this, this is also why this is not worked on since 12 years. Everybody is urgendtly asked not to use winbind use default domain (or live with the drawbacks).