About adding a new 'winbind:allow domains' parameter
Andreas Schneider
asn at samba.org
Fri Oct 4 09:50:55 UTC 2019
On Thursday, 3 October 2019 18:37:58 CEST Samuel Cabrero wrote:
> On Wed, Oct 02, 2019 at 05:57:52PM +0200, Stefan Metzmacher via samba-
technical wrote:
> > What is the reason have just a manual specified subset of the trusted
> > domains?
> >
> > I'd actually like to get rid of all this hacks and just trust our dc.
>
> Because some users are currently using the documented parameter
> 'winbind:ignore domains', and when new domains are added to AD they have
> to be added to this setting too. It is just a usability improvement.
>
> But let me ask, why the 'ignore domains' option exists in first place?
> The documentation says it "can avoid the overhead of resources from
> attempting to login to DCs that should not be communicated with" but
> from your reply I am not sure if this is still a valid assertion.
In the past we tried to communicate with the DC direclty. We had a child
running for each domain member. The assumptions we had date back to NT4 style
domain controllers. In the meantime we know we can only talk to our primary
trust to authenticate users and the DC will route the request for us.
wbinfo --trusted-domains --verbose
will give you detailed information now!
All those options about ignore domains probably date back to NT4 and we should
deprecate them. winbind should only talk to the primary trust. That's the DC
we trust :-)
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list