About adding a new 'winbind:allow domains' parameter
Stefan Metzmacher
metze at samba.org
Fri Oct 4 13:01:38 UTC 2019
Hi Samuel,
> On Wed, Oct 02, 2019 at 05:57:52PM +0200, Stefan Metzmacher via samba-technical wrote:
>> What is the reason have just a manual specified subset of the trusted
>> domains?
>>
>> I'd actually like to get rid of all this hacks and just trust our dc.
>
> Because some users are currently using the documented parameter
> 'winbind:ignore domains', and when new domains are added to AD they have
> to be added to this setting too. It is just a usability improvement.
>
> But let me ask, why the 'ignore domains' option exists in first place?
> The documentation says it "can avoid the overhead of resources from
> attempting to login to DCs that should not be communicated with" but
> from your reply I am not sure if this is still a valid assertion.
I hope most of it is gone with "winbind scan trusted domains = no" and
the new "winbind use krb5 enterprise principals = yes".
I also think the "untrust" part of "... list of trusted domains winbind
should ignore (untrust)..." is not really true anymore (or never was).
What is the idmap configuration?
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20191004/eded3adc/signature.sig>
More information about the samba-technical
mailing list