How to ignore trusted domains completely?
buc at odusz.so-cdu.ru
Thu Oct 11 13:00:10 GMT 2007
Our AD has several trusted domains. These domains are reported to
winbind daemon, and then winbind tries to contact the correspond DCs.
The "allow trusted domains = no" does not affect winbind in this context.
I would like to ignore these domains for some reasons:
- Their DCs are very far geographically, the network channels for them
is too low, or even not reachable at all (from our Samba hosts exactly).
- Their DCs seem to be "broken", since it is just an attempt to create
some AD forest without clear understanding what to do etc...
- When I use "rid" for idmap backend, the "getent passwd" or "getent
group" are frozen, because winbind daemon tries to contact these "bad"
remote DCs for info about trusted domains.
(I am aware of "winbind enum", and don't want to disable this...)
I've found only one hackish way to "block" winbind from attempts to
contact such DCs: to specify:
"name resolve order = NULL"
in winbind config file (plus "password server" for IP of own DC). It
causes winbind just to not found the actual info about these domains at all.
Then "getent passwd" is not frozen.
Maybe implement some wildcardable config parameters aka "valid/invalid
users", i.e. "valid/invalid trusted domains", or "block trusted domains
= list", etc...
More information about the samba-technical