About adding a new 'winbind:allow domains' parameter

Jim McDonough jmcd at samba.org
Fri Oct 4 11:08:26 UTC 2019

On 10/4/19 5:50 AM, Andreas Schneider via samba-technical wrote:
> On Thursday, 3 October 2019 18:37:58 CEST Samuel Cabrero wrote:
>> On Wed, Oct 02, 2019 at 05:57:52PM +0200, Stefan Metzmacher via samba-
> technical wrote:
>>> What is the reason have just a manual specified subset of the trusted
>>> domains?
>>> I'd actually like to get rid of all this hacks and just trust our dc.
>> Because some users are currently using the documented parameter
>> 'winbind:ignore domains', and when new domains are added to AD they have
>> to be added to this setting too. It is just a usability improvement.
>> But let me ask, why the 'ignore domains' option exists in first place?
>> The documentation says it "can avoid the overhead of resources from
>> attempting to login to DCs that should not be communicated with" but
>> from your reply I am not sure if this is still a valid assertion.
> In the past we tried to communicate with the DC direclty. We had a child 
> running for each domain member. The assumptions we had date back to NT4 style 
> domain controllers. In the meantime we know we can only talk to our primary 
> trust to authenticate users and the DC will route the request for us.
Actually, even with the NT domain controllers, this was technically the
wrong thing to do.  It just happens to work if you have two-way trusts.
 So really this was before we had protocol information and were
investigating it ourselves.

Hooray for documentation!


More information about the samba-technical mailing list