[Samba] Inefficient Winbind behavior?

SRuth at LANDAM.com SRuth at LANDAM.com
Thu May 22 20:48:26 GMT 2003 

Tim & Brent

Thanks for responding.

Unfortunately, the solution is not that simple.  :)  The password server
field is intended, AFAIK, for the domain that the Samba server is a member
of.  However, my domain structure has an accounts domain and resource
domains.  My Samba server is a member of a resource domain, which has a
one-way trust relationship to the accounts domain.  This means winbind has
to contact DCs in the accounts domain to authenticate users.  Therein lies
the trouble, because the accounts domain has a server on the same LAN as the
Samba server, but winbindd decides to use the server that resides across a
WAN link.  The server it decides to use is always the PDC of the accounts
domain.

Just to test, I tried changing the password server field to point to the
local accounts domain DC, but then Samba was unable to authenticate at all.
Presumably because the Samba server does not exist in the accounts domain.

Any other ideas?  :)


Sven


-----Original Message-----
From: Tim Potter [mailto:tpot at samba.org]
Sent: Tuesday, May 20, 2003 8:24 PM
To: SRuth at LANDAM.com
Cc: samba at lists.samba.org
Subject: Re: [Samba] Inefficient Winbind behavior?


On Tue, May 20, 2003 at 10:22:38AM -0400, SRuth at LANDAM.com wrote:

> I've done some investigating and have found that winbindd queries WINS for
a
> domain controller for the 2003 domain, which it finds just fine and is
able
> to authenticate users against.  However, the problem is that the server
it's
> finding is on a different subnet, connected via a T1 WAN link.  So it uses
> the remote server instead of a local 2003 DC, which is acting as a BDC,
that
> resides on the same LAN as the Samba server.  
>  
> Shouldn't winbindd use the local DC?  Can I configure it to do so?  I'm
> fairly convinced that authenticating over the WAN link is causing the
delays
> I'm experiencing.  Any ideas are welcome.

You should be able to specify which domain controller to use with the
'password server' smb.conf parameter.  When there is no password server
specified winbindd should pick the "closest" domain controller.

Is there anything in the logs about errors contacting closer DCs?
That's the only reason I can think that the remote DC is being chosen
over local ones.


Tim.

More information about the samba mailing list