[Samba] unreachable trusted domains in enterprise environment

Donald, Alan alan.donald at acnielsen.com.au
Mon Nov 28 06:03:15 GMT 2005

Hi All

We have quite a complex enterprise environment which includes a global
domain and lots of little asteroid domains all trusted by the central
domain. We have (imaginatively) called this central domain ENTERPRISE.

I have configured samba to be an ADS member server successfully, but due
to our network design many of the asteroid domains's DC's are
uncontactable from our regional office. Additionally, many of the
ENTERPRISE domain DC's are also uncontactable (but this does not cause
us any problem, since all of our DC's have a replica of the entire AD
tree - yes I know this is stupid). 

Basically what we would like to do is ensure that any ADS/Kerberos/LDAP
traffic follow the 'sites and services' definition we have setup. That
is, the ADS/LDAP/Kerberos traffic does not leave our office and only
attempts to use our local DC for any queries. We'd also like to ignore
(or use) a list of domains we specify. I did try setting the password
server, but I think it is only for security = Domain type configurations

Anyways, I can't see any options in smb.conf or other places that might
have this type of configuration.. As an ugly kludge I did try to delete
the default gateway so any requests to remote dc's get failed instantly
(our DC is on the same subnet as our samba server) but it didn't make
much difference.

Any help would be greatly appreciated.


More information about the samba mailing list