[Samba] unreachable trusted domains in enterprise environment
Donald, Alan
alan.donald at acnielsen.com.au
Thu Dec 1 02:35:13 GMT 2005
Hi Jerry,
That kind of worked.
I do have another problem now though. wbinfo --domain=DOMAIN -u or
wbinfo --domain=DOMAIN -g both timeout . Also, getent passwd eventually
times out as well after displaying a massive list of users, although
restricting it to a user works correctly - eg 'getent passwd
'Domain\User'. I can also assign AD permissions to the filesystem
without problem.
Winbindd -d3 gives me the following output when I type Wbinfo -u
--domain=DOMAIN
[2005/12/01 12:43:22, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(453)
[ 0]: request interface version
[2005/12/01 12:43:22, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(486)
[ 0]: request location of privileged pipe
[2005/12/01 12:43:22, 3]
nsswitch/winbindd_user.c:winbindd_list_users(738)
[ 0]: list users
[2005/12/01 12:43:22, 3] nsswitch/winbindd_ads.c:query_user_list(164)
ads: query_user_list
[2005/12/01 12:44:32, 3] libads/ldap.c:ads_do_paged_search(519)
ads_do_paged_search: ldap_search_with_timeout((objectClass=user)) ->
Timed out
[2005/12/01 12:44:33, 3] nsswitch/winbindd_ads.c:query_user_list(234)
ads query_user_list gave 25000 entries
[2005/12/01 12:45:01, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(453)
[ 0]: request interface version
[2005/12/01 12:48:32, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(453)
[ 0]: request interface version
[2005/12/01 12:48:32, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(486)
[ 0]: request location of privileged pipe
We have about 48000 users in our tree but 47000 of those are irrelevant
to us. Our tree is also (mis)configured to have a replica of the entire
tree on each server so while I think this has sorted most of our
problems out, the ldap query just takes too long and it times out even
on lan.
I did put a parameter ldap timeout = 180 (3 minutes?) in smb.conf but it
didn't seem to make any difference.
Or, alternatively, if we can restrict the ldap searches to a particular
OU then I'd expect that would bring our ldap search times down, although
I don't know if ldap.conf has anything to with this particular problem.
btw, if I don't specify --domain= wbinfo will still try and enumerate
the other trusted domains and wbinfo -m will still list all the other
domains we don't care about.
-----Original Message-----
From: samba-bounces+adonald=acnielsen.com.au at lists.samba.org
[mailto:samba-bounces+adonald=acnielsen.com.au at lists.samba.org] On
Behalf Of Gerald (Jerry) Carter
Sent: Wednesday, 30 November 2005 2:43 AM
To: Donald, Alan
Cc: samba at lists.samba.org
Subject: Re: [Samba] unreachable trusted domains in enterprise
environment
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Donald, Alan wrote:
| Basically what we would like to do is ensure that
| any ADS/Kerberos/LDAP traffic follow the 'sites and services'
| definition we have setup. That is, the ADS/LDAP/Kerberos
| traffic does not leave our office and only attempts to use
| our local DC for any queries. We'd also like to ignore
| (or use) a list of domains we specify. I did try setting
| the password server, but I think it is only for
| security = Domain type configurations (?).
No. password server is used for 'security = ads' as well.
If you don't want any of the trusted domains, you can
set 'allow trusted domains = no'. That's about the best
solution I can give you right now.
You might also want to test 3.0.21rc1 as we've done
some more winbindd improvemnts.
More information about the samba
mailing list