a way to disable ADS in winbind in samba3

Gerald (Jerry) Carter jerry at samba.org
Mon May 28 15:14:43 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Volker,

> I think this particular one is missing DNS on the DCs,

We should have better fallback code in this case to
detect failure and fall back to the winbindd_rpc methods.

> I myself have not seen that. This is the cluster that Tridge
> is testing on. I myself have several applications where I
> want winbind to authenticate for squid in a DMZ, and I only
> want it to do the NTLM auth proxy. Nothing else. And for
> security reasons the connection between the DMZ and any DC
> should be shut down as much as possible. I know, 445 is
> pretty bad, but it's better than everything necessary for
> AD.

My experiences are not quite the same as yours an Tridge's.
Centeris is making a living from selling a winbindd based
solution into AD environments and our experience has been
that the majority of the time, the domain environment is
setup correctly and the AD admins are pretty competent folks.

The reason why I'm opposed to reverting the "use winbindd_ads
whenever possible" is that if penalizes everyone who uses
Samba for the benefit of a few broken installations.
I'm a little surprised since you have been the main proponent
of getting rid of any distinction between security ads and
security = domain.

However, it there really has to be a way to deal with this,
I would have to vote for Tridge's patch.  As much as I
hate new parameters, at least this one would not change
the current default behavior which I believe to be correct.






cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGWvHjIR7qMdg1EfYRAguBAJ9HKQlqSDh6orKEGYqJXEaCzAHM0gCg3SkH
B4bW4ZZAnatSE98uFO7Fvno=
=4IXN
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list