[Samba] Winbind in ADS forrest hangs when not able to talk to other DCs

Roman Rathler roman at hamma.net
Wed Jun 16 10:36:28 GMT 2004

Hi There,

we have a winbind installation here that is used for squid authentication and group resolving. the winbind server is part of the domain ch.domain.intern. the ads forrest is organized like 


ch.domain.intern at.domain.intern fr.domain.intern

and other sites will follow. authentication and group resolving works actually fine, BUT: if the link to at or fr is down winbind hangs!!! first of all: why does winbind try to connect to at or fr domain controllers, because there is no information for winbind on these servers? how can I keep winbind away from trying to connect to these domain controllers?

my smb.conf:


workgroup = CHDOM01
server string = proxy

client use spnego = yes

load printers = no

idmap uid = 10000-20000
idmap gid = 10000-20000
# winbind separator = +
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes

log file = /var/log/samba/%m.log
max log size = 50
security = ads
realm = ch.domain.intern
password server = wsvch01 wsvch02
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

my krb5.conf:

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

ticket_lifetime = 24000
default_realm = CH.DOMAIN.INTERN
# default_tgs_enctypes = des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
dns_lookup_realm = false
dns_lookup_kdc = false

kdc = wsvch01.ch.domain.intern:88
default_domain = ch.domain.intern

.ch.domain.intern = CH.DOMAIN.INTERN
ch.domain.intern = CH.DOMAIN.INTERN

profile = /var/kerberos/krb5kdc/kdc.conf

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

any suggestions?

thnx in advance
best regards,

More information about the samba mailing list