How to ignore trusted domains completely?

Dmitry Butskoy buc at
Fri Oct 12 12:01:33 GMT 2007

Dmitry Butskoy wrote:
> Gerald (Jerry) Carter wrote:
>> Dmitry Butskoy wrote:
>>> Our AD has several trusted domains. These domains are reported to
>>> winbind daemon, and then winbind tries to contact the correspond DCs.
>>> The "allow trusted domains = no" does not affect winbind in this 
>>> context.
>> That would be a BUG IMO.  Where still talking about the 3.0.26a
>> installation with idmap_rid correct?
> Yep.
>> Looking at the code, it appears that disabling trusted domains
>> regressed.  Not sure when.
> Maybe in "nsswitch/winbindd.c:process_loop()" -- run 
> "rescan_trusted_domains()" conditionally?
> I can do any pre-tests if needed.  Hint me what to try.


After I have commented out "rescan_trusted_domains()" in 
"nsswitch/winbindd.c:process_loop()", all became fine!

No more need for "name resolve order = NULL" hack.

A lot of strange log reports (something related to some schannel 
failures) are gone. I had plans to ask the maillist about it, but I now 
have nothing to ask. :)

It seems that "rescan_trusted_domains()" should be conditionally 
switchable off, either by "allow trusted domains = no", or by own 
special config variable (bool or list).


More information about the samba-technical mailing list