About adding a new 'winbind:allow domains' parameter

Stefan Metzmacher metze at samba.org
Fri Oct 4 13:01:38 UTC 2019

Hi Samuel,

> On Wed, Oct 02, 2019 at 05:57:52PM +0200, Stefan Metzmacher via samba-technical wrote:
>> What is the reason have just a manual specified subset of the trusted
>> domains?
>> I'd actually like to get rid of all this hacks and just trust our dc.
> Because some users are currently using the documented parameter
> 'winbind:ignore domains', and when new domains are added to AD they have
> to be added to this setting too. It is just a usability improvement.
> But let me ask, why the 'ignore domains' option exists in first place?
> The documentation says it "can avoid the overhead of resources from
> attempting to login to DCs that should not be communicated with" but
> from your reply I am not sure if this is still a valid assertion.

I hope most of it is gone with "winbind scan trusted domains = no" and
the new "winbind use krb5 enterprise principals = yes".

I also think the "untrust" part of "... list of trusted domains winbind
should ignore (untrust)..." is not really true anymore (or never was).

What is the idmap configuration?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20191004/eded3adc/signature.sig>

More information about the samba-technical mailing list