winbindd, samba DC, and trusts

simo idra at
Mon Jan 28 18:38:33 GMT 2008

Recently I have been testing with Guenther and Michael both v3-0-test
and v3-2-test in the situation were you have a samba PDC, with trusts.
This situation requires winbindd to be configured in nsswitch.conf to
provide system accounts for trusted domains.

Unfortunately to allow things like ntlm_auth (?) to work in the DC case
winbindd is configured to not consider his own domain as "internal" in
case of a DC (see is_internal_domain() ).

This means that winbindd will try a session setup against the local
smbd. The local smbd in turn tries to getpwnam() the account being used
to authenticate (but I guess it can also try other ops against winbindd
to resolve SIDs or other system accounts).

This does not work as the main winbindd daeomn is blocked on the session
setup used to initialize a non internal domain and therefore will not
reply to the smbd request until both time out (usually after 10

My initial "solution" was to remove the IS_DC check in
is_internal_domain() but that would prevent ntlm_auth to work I guess.

Another solution may be to put a signature of some kind in the cifs
session setup so that smbd can set the winbindd environment safeguard
and not loop. But Jerry tells me that this has been proposed and refused

Ideas on how to better solve this are welcome (possibly without
requiring gargantuan patches as I'd like to fix this for 3.0.x which is
in maintenance mode).


Simo Sorce
Samba Team GPL Compliance Officer <simo at>
Senior Software Engineer at Red Hat Inc. <ssorce at>

More information about the samba-technical mailing list