About adding a new 'winbind:allow domains' parameter

Andreas Schneider asn at samba.org
Fri Oct 4 09:50:55 UTC 2019

On Thursday, 3 October 2019 18:37:58 CEST Samuel Cabrero wrote:
> On Wed, Oct 02, 2019 at 05:57:52PM +0200, Stefan Metzmacher via samba-
technical wrote:
> > What is the reason have just a manual specified subset of the trusted
> > domains?
> > 
> > I'd actually like to get rid of all this hacks and just trust our dc.
> Because some users are currently using the documented parameter
> 'winbind:ignore domains', and when new domains are added to AD they have
> to be added to this setting too. It is just a usability improvement.
> But let me ask, why the 'ignore domains' option exists in first place?
> The documentation says it "can avoid the overhead of resources from
> attempting to login to DCs that should not be communicated with" but
> from your reply I am not sure if this is still a valid assertion.

In the past we tried to communicate with the DC direclty. We had a child 
running for each domain member. The assumptions we had date back to NT4 style 
domain controllers. In the meantime we know we can only talk to our primary 
trust to authenticate users and the DC will route the request for us.

wbinfo --trusted-domains --verbose

will give you detailed information now!

All those options about ignore domains probably date back to NT4 and we should 
deprecate them. winbind should only talk to the primary trust. That's the DC 
we trust :-)

Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list