For local users who definitely are not on the AD domain, winbind shouldn't try to lookup any group memberships. The reason for this is that winbind can hang for a while on a query causing issues for core system services. For example if NetworkManager is running and has a dispatcher script which tries to run 'smbcontrol winbind offline', NetworkManager may never get to actually fork the script since name lookups are hanging for local system users (e.g. dbus, root). So since winbind still things it's online things will continue to hang for even longer. To speed things up and make them more reliable, winbind should have something like nss_initgroups_ignoreusers for nss_ldap. I'd be happy to get started on this if someone could give me a pointer to the best place in the code to insert this sort of thing, and a quicky on adding a configuration parameter. If I don't hear from anyone in a while I'll get started anyway, but it would be nice to have some help :)
Created attachment 4961 [details] Implementation of winbind initgroups ignoreusers option This is for 3.3.9 (since that's what I'm working with now), but should hopefully work fine on 3.4.x. It would be really nice if one of the devs could look over it and push it into testing :)
Hi nick, I am going to investigate this and also look at your patch. Michael
Created attachment 4966 [details] Similar patch for 3.4.3 One issue I have is that implementing this option in winbindd_group.c still causes a hang when winbindd isn't initialized yet. So it would be best to be implemented before anything that tries to contact winbindd, however from what I can tell anything at that level doesn't have accessibility to the config file to actually read the option. Therefore in this patch there are actually two items, implementing the option in winbindd_group.c, and also a hardcoded skipping of "root" in winbind_nss_linux.c (possibly this should be in a more general place, but I couldn't find a better place nor a function definition for _nss_winbind_initgroups_dyn under the other OS implementations). The second part is because most core stuff is running as root, and it should be a safe bet that root isn't a member of any group on the directory service, and even if it was then it wouldn't matter since root is the superuser and would have access to everything regardless of group membership. However it would still be best to implement the user skip checking based on the option alone (without hardcoding "root") at a level before any attempt at calling winbindd is done.
Just for the record: we had something like this three years ago already: http://git.samba.org/?p=samba.git;a=commitdiff;h=7399ab779d7100059475ed196e6e4435b2b33bbd
Raising component.
Can an official release be pushed out for this, please? It would be extremely useful to stop winbind from dealing with specific users groups.
I don't think that we'll ever implement something like this, this is also why this is not worked on since 12 years. Everybody is urgendtly asked not to use winbind use default domain (or live with the drawbacks).