How to ignore trusted domains completely?

Dmitry Butskoy buc at
Thu Oct 11 13:00:10 GMT 2007

Our AD has several trusted domains. These domains are reported to 
winbind daemon, and then winbind tries to contact the correspond DCs.
The "allow trusted domains = no" does not affect winbind in this context.

I would like to ignore these domains for some reasons:

- Their DCs are very far geographically, the network channels for them 
is too low, or even not reachable at all (from our Samba hosts exactly).
- Their DCs seem to be "broken", since it is just an attempt to create 
some AD forest without clear understanding what to do etc...
- When I use "rid" for idmap backend, the "getent passwd" or "getent 
group" are frozen, because winbind daemon tries to contact these "bad" 
remote DCs for info about trusted domains.
(I am aware of "winbind enum", and don't want to disable this...)

I've found only one hackish way to "block" winbind from attempts to 
contact such DCs: to specify:
"name resolve order = NULL"
in winbind config file (plus "password server" for IP of own DC). It 
causes winbind just to not found the actual info about these domains at all.
Then "getent passwd" is not frozen.

Any comments?

Maybe implement some wildcardable config parameters aka "valid/invalid 
users", i.e. "valid/invalid trusted domains", or "block trusted domains 
= list", etc...

Dmitry Butskoy

More information about the samba-technical mailing list