FW: Winbindd timeout on unreacheable domains

ww m-pubsyssamba pubsyssamba at bbc.co.uk
Thu Feb 19 11:39:21 GMT 2004

Hi Andrew,

	thanks for your reply, please see my comments below,

		thanks Andy.

On Wed, 2004-02-18 at 21:37, ww m-pubsyssamba wrote:
> Hi All,
> 	would anyone like to acknoledge this as a problem or correct me if I'm mistaken, I didn't get a 
> responce from the samba mailing list. Seems to me to be an issue with implementing Samba+winbindd in a 
> distributed multi-domain windows environment,

Sorry, I meant to get back to you.  It's a known issue - there are ways
to work around it however - we can reduce the time we take before we
time out contacting trusted domains.

## Is this something I need to customise myself in the source? If so can you let me know which file and
## which param? Couldn't see anything obvious from grepping the source...

> Hi All,
> 	I have a concern with the behaviour of winbindd on startup in a multi-domain environment, in my
> case a 6 domain AD forest + trusts to 3 NT 4 domains. I've tested startup of winbindd in a 2 domain 
> development environment and found if a trusted domain is not contactable it takes five minutes to 
> timeout before winbindd becomes active (/tmp/.winbindd/pipe is created). 

This is a bit more excessive than I've seen in the past.  Is your DNS
setup correctly?

## My test forest has only two DC's so I don't think there's much that can go wrong in such a simple
## environment, (exact timeout is actually consistantly 3mins 50seconds). However I'm going to test  
## this in our live environment over the weekend by isolating a DC and samba server from the rest of 
## the network so I'll see for real how bad this will be with many trusted domains.

>   If I assume this will be the same behaviour for winbindd in our production environment then if our 
> domain were isolated from the rest of the trusted domains then winbindd would take 45 minutes (9x 
> 5minutes) to become active if we needed to restart a server. Because our domain is on a physically 
> different and separately managed network from the others it is more than possible this type of situation 
> could occur. 45 minutes to startup is obviously unacceptable especially as I hope to deploy Samba 3.x on 
> one of our clusters. And to put this in comparison with a pure windows solution we would have no such 
> issues starting a DC or fileserver in a domain just because it couldn't see any or all trusted domains.

We suffer many pains because we are not windows :-).  (Mostly, this is
because windows does not need user lists or user names even, except in
the UI)

>   If I am incorrect please can you put me right on this, if I am correct is it possible that winbindd 
> can be modified to establish connection only with its local domain at startup and start serving data to 
> Samba from cached data for other domains?

There are some problems with this, but it's not that bad an idea. 

## Should I pursue this idea further, log a bug etc?

Andrew Bartlett

More information about the samba-technical mailing list