[Samba] unreachable trusted domains in enterprise environment

Donald, Alan alan.donald at acnielsen.com.au
Thu Dec 1 02:35:13 GMT 2005


Hi Jerry,

That kind of worked. 

I do have another problem now though.  wbinfo --domain=DOMAIN -u or
wbinfo --domain=DOMAIN -g both timeout . Also, getent passwd eventually
times out as well after displaying a massive list of users, although
restricting it to a user works correctly - eg 'getent passwd
'Domain\User'. I can also assign AD permissions to the filesystem
without problem. 

Winbindd -d3 gives me the following output when I type Wbinfo -u
--domain=DOMAIN

[2005/12/01 12:43:22, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(453)
  [    0]: request interface version
[2005/12/01 12:43:22, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(486)
  [    0]: request location of privileged pipe
[2005/12/01 12:43:22, 3]
nsswitch/winbindd_user.c:winbindd_list_users(738)
  [    0]: list users
[2005/12/01 12:43:22, 3] nsswitch/winbindd_ads.c:query_user_list(164)
  ads: query_user_list
[2005/12/01 12:44:32, 3] libads/ldap.c:ads_do_paged_search(519)
  ads_do_paged_search: ldap_search_with_timeout((objectClass=user)) ->
Timed out
[2005/12/01 12:44:33, 3] nsswitch/winbindd_ads.c:query_user_list(234)
  ads query_user_list gave 25000 entries
[2005/12/01 12:45:01, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(453)
  [    0]: request interface version
[2005/12/01 12:48:32, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(453)
  [    0]: request interface version
[2005/12/01 12:48:32, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(486)
  [    0]: request location of privileged pipe

We have about 48000 users in our tree but 47000 of those are irrelevant
to us. Our tree is also (mis)configured to have a replica of the entire
tree on each server so while I think this has sorted most of our
problems out, the ldap query just takes too long and it times out even
on lan.

I did put a parameter ldap timeout = 180 (3 minutes?) in smb.conf but it
didn't seem to make any difference. 

Or, alternatively, if we can restrict the ldap searches to a particular
OU then I'd expect that would bring our ldap search times down, although
I don't know if ldap.conf has anything to with this particular problem.


btw, if I don't specify --domain= wbinfo will still try and enumerate
the other trusted domains and wbinfo -m will still list all the other
domains we don't care about. 


-----Original Message-----
From: samba-bounces+adonald=acnielsen.com.au at lists.samba.org
[mailto:samba-bounces+adonald=acnielsen.com.au at lists.samba.org] On
Behalf Of Gerald (Jerry) Carter
Sent: Wednesday, 30 November 2005 2:43 AM
To: Donald, Alan
Cc: samba at lists.samba.org
Subject: Re: [Samba] unreachable trusted domains in enterprise
environment

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Donald, Alan wrote:

| Basically what we would like to do is ensure that
| any ADS/Kerberos/LDAP traffic follow the 'sites and services'
| definition we have setup. That is, the ADS/LDAP/Kerberos
| traffic does not leave our office and only attempts to use
| our local DC for any queries. We'd also like to ignore
| (or use) a list of domains we specify. I did try setting
| the password server, but I think it is only for
| security = Domain type configurations (?).

No.  password server is used for 'security = ads' as well.

If you don't want any of the trusted domains, you can
set 'allow trusted domains = no'.  That's about the best
solution I can give you right now.

You might also want to test 3.0.21rc1 as we've done
some more winbindd improvemnts.







More information about the samba mailing list