[Samba] WINBIND on a VERY LARGE FOREST

Michael Joyner mjoyner at vbservices.net
Fri Jul 28 17:03:09 GMT 2006 

Disable your nscd daemon and see if that helps.

On 7/28/06, tita.boba at libero.it <tita.boba at libero.it> wrote:
>
> Hi all!
> I'm trying to setup a linux samba server as a domain member of a SINGLE
> FOREST MULTI DOMAINS.
> The forest is a 2 servers acting as a global catalog.
> Other domains are child domain with implicit trust with forest. I setup a
> linux server with samba as a domain member to work with squid,
> authenticating users and verify user's groups membership. I need to allow
> access to squid only to some users on different group.
> So i setup samba with winbind, ads and kerberos support.
> Configuing /etc/krb5.conf correctly to permit samba to join and query the
> gc with net ads join. Configured samba and winbind correclty, all ok.
> Now i need to use wbinfo_group.pl to verify user's groups.
> But before that i tested the configuration with wbinfo -r DOMAIN\\user. If
> i search a user on GC domain, the domain samba joined directly, i can see
> all group belonging to a user correclty. If i add and remove users form AD,
> i need to wait 5 second (i setup winbind cache = 5 second) to see the change
> witn wbinfo -r.
> Now the problem. If i search group to a children domain, winbind show me
> correclty. If i add or remove a group, winbind show does not show me the
> change for many hours!
> I tried to restart samba and winbind, but nothing.
> I disjoined and rejoined but nothing. Tracing the connections, i see that
> winbind contact global catalog and domain for whom the query is, but i think
> there is a strange cache tha does not permit me to see the changes with
> winbind. I tried many configuration, i tried to disable GC on windows
> forest, i tried to join a single domain, i tried to do an explicit trust two
> way, but nothing!!! Please, someone can give me help about identifying the
> problem and resolve this? It's important to understand that i have no
> problem authenticating users everywhere the are, the problem was only this
> strange cache that GC give to WINBIND. No universal group cache are enabled
> on forest! Many thanks to all!
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list