On 31/07/15 18:53, Denis Cardon wrote:> Hi Jefferson, > > Le 31/07/2015 15:22, Jefferson B. Limeira a écrit : >> What is the best way to authenticate users in SMB4 DC on Linux >> workstation? >> I'm using pam_winbind, but sometimes its very slow... > > Configuring everything correctly on the workstation side is quite > tricky. If you have laptops among your workstations, you'll have to > deal with caching credentials, groups, users, sid mappings, and so on. > Otherwise it will be a PITA when network connection to the DC is not > available. > > PAM and NSSwitch are very tricky beasts to tame properly! Currently, > I'd say that the easiest way of dealing with all those tricky thing is > to use the pbis from Powerbroker : > > http://www.powerbrokeropen.org/ > > Cheers, > > Denis >Why put another layer on top of winbind ? PAM is only tricky to setup if you *don't* use the OS tools, authconfig on red hat, just installing the various pam packages on debian. Do you by any chance have enumeration turned on in smb.conf ? Rowland
You refer to the parameters winbind enum users winbind enum groups in smb.conf? These not configured, according smb.conf man page default value is 'no'. My workstations are using original distro samba packages (samba-client-3.6.23-14.el6_6.i686). Em 2015-07-31 15:20, Rowland Penny escreveu:> > Do you by any chance have enumeration turned on in smb.conf ? > > Rowland-- []'s Jefferson B. Limeira jbl at internexxus.com.br https://br.linkedin.com/in/jlimeira (41) 9928-8628
Rowland, enumeration should be disabled on the samba server or on the workstation? You mean about winbind enum user|group ?> > Do you by any chance have enumeration turned on in smb.conf ? > > Rowland-- []'s Jefferson B. Limeira jbl at internexxus.com.br https://br.linkedin.com/in/jlimeira (41) 9928-8628
On 03/08/15 19:31, Jefferson B. Limeira wrote:> Rowland, > > enumeration should be disabled on the samba server or on the > workstation? You mean about winbind enum user|group ?Short answer, no, yes, yes :-) Long answer, I believe before 4.2 you couldn't disable enumeration and from 4.2 it is already disabled. If you have enumeration turn on for the Linux clients, this can slow things down and yes, I did mean 'winbind enumerate' in smb.conf. Rowland> >> >> Do you by any chance have enumeration turned on in smb.conf ? >> >> Rowland >