About adding a new 'winbind:allow domains' parameter
metze at samba.org
Fri Oct 4 13:01:38 UTC 2019
> On Wed, Oct 02, 2019 at 05:57:52PM +0200, Stefan Metzmacher via samba-technical wrote:
>> What is the reason have just a manual specified subset of the trusted
>> I'd actually like to get rid of all this hacks and just trust our dc.
> Because some users are currently using the documented parameter
> 'winbind:ignore domains', and when new domains are added to AD they have
> to be added to this setting too. It is just a usability improvement.
> But let me ask, why the 'ignore domains' option exists in first place?
> The documentation says it "can avoid the overhead of resources from
> attempting to login to DCs that should not be communicated with" but
> from your reply I am not sure if this is still a valid assertion.
I hope most of it is gone with "winbind scan trusted domains = no" and
the new "winbind use krb5 enterprise principals = yes".
I also think the "untrust" part of "... list of trusted domains winbind
should ignore (untrust)..." is not really true anymore (or never was).
What is the idmap configuration?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the samba-technical