You are not currently logged in. If you do not have a user account then please consider creating one and logging in before you post your comment. This will allow you to track replies to your comment, and take part in the site much more freely.

To add your comment, fill in all the boxes below and then preview it to make sure you're happy with the way that it looks.

This is the comment you were replying to, attached to the article Samba ADS integration without Kerberos:

#5 Re: Samba ADS integration without Kerberos Posted by Jubal (62.233.xx.xx) on Thu 22 Jun 2006 at 16:43 I used similar setup for some time... It is usually all fine and dandy, but there are some warnings: 1) when you want to have any userid/groupid consistency between various machines, you'd better use common idmap cache. 2) in big AD environments (more than 2000 user / group objects) winbind shows how highly inefficient it is. A simple enumeration of users could choke the system on a really powerful machine (...and user/group enumeration is not that uncommon, for example mc does that at start). You can disable user/group enumeration, but with so much objects in AD winbind will choke anyway. All in all, I found much more stable a solution that uses dual LDAP/kerberos (AD) for authentication and LDAP for keeping the user data. The Linux/Unix LDAP infrastructure is separate, but has the usernames synchronized with AD (by hand ATM, but this can be achieved by simple script). Jubal

Inappropriate comments will be removed.

Username:

Password:

[ Advanced Login ]

Register Account