I have an RHEL 6 server bound to an AD domain. Everything works fine but group lookups are extremely slow. Some lookups can take over 60 seconds. This is very painful when running sudo
and when users ssh in and it needs to verify their group membership before granting access. Strangely, when it comes to file permissions, there is no lag when a group is used to limit access via ACL's.
It seems like when groups are looked up, every single member of each group is enumerated. Some groups have over 100,000 members.
Here is my Winbind config:
workgroup = EXAMPLE
password server = AD.EXAMPLE.ORG
realm = EXAMPLE.ORG
security = ads
idmap uid = 10000-19999
idmap gid = 10000-19999
idmap config EXAMPLE:backend = rid
idmap config EXAMPLE:range = 10000000-19999999
winbind enum users = no
winbind enum groups = no
winbind separator = +
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = false