[Samba] How to get winbindd to ignore trusted domains?

Farber, Saul (ENV) Saul.Farber at state.ma.us
Fri Sep 2 21:43:55 GMT 2005 

Hello all,

I've successfully added a samba 3.0.20 server to an Active Directory
domain.

My only problem seems to be a fairly common one: there are 10 trusted
domains with close to 20,000 users in our AD "network", and if I do a
"wbinfo -u", wbinfo appears to time out before winbind has finished
contacting all 10 domains.

I've set the "allow trusted domains" flag to "no" in my smb.conf file,
but to no avail.

Does winbindd respect the "allow trusted domains" flag?  If not, how can
I get winbindd to not query all the domains?

Here is my smb.conf:


[global] 
	netbios name = ENV-WS-SFLINUX
	workgroup = ENV
      socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	allow trusted domains = no
	winbind cache time = 3600
      winbind enum users = yes
      winbind enum groups = yes
      os level = 20	
	password server = *
      preferred master = no
	winbind separator = /
	max log size = 50
	log file = /var/log/samba/log.%m
	encrypt passwords = yes
	dns proxy = no
	realm = ENV.GOVT.STATE.MA.US
	security = ADS
	wins server = 146.243.16.171 146.243.12.171
	wins proxy = no 
	template homedir = /home/%D/%U
	template shell = /bin/bash.sambalogin
	winbind use default domain = no


And here is the output of starting winbindd in interactive mode with
debugging turned up.

[root at env-ws-sflinux samba-3.0.20]# sbin/winbindd -i -d 3 -s
/usr/local/apps/samba-3.0.20/lib/smb.conf
winbindd version 3.0.20 started.
Copyright The Samba Team 2000-2004
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/usr/local/apps/samba-3.0.20/lib/smb.conf"
Processing section "[global]"
adding IPC service
adding IPC service
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Added domain <my fq domain> S-1-5-21-1060284298-413027322-1801674531
Added domain BUILTIN  S-1-5-32
Added domain ENV-WS-SFLINUX  S-1-5-21-3447848388-1786772243-2810629290
resolve_lmhosts: Attempting lmhosts lookup for name ENV<0x1c>
resolve_wins: Attempting wins lookup for name ENV<0x1c>
resolve_wins: using WINS server xxxxxxx and tag '*'
Got a positive name query response from xxxxxx ( xxxxx,xxxxx,xxx ...
Etc. )
fcntl_lock: fcntl lock gave errno 11 (Resource temporarily unavailable)
fcntl_lock: lock failed at offset 0 count 1 op 13 type 0 (Resource
temporarily unavailable)
cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [xxxxx]
Doing spnego session setup (blob length=121)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=<my pdc>
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Sat, 03 Sep 2005 03:40:34
GMT
lsa_io_sec_qos: length c does not match size 8
[ 1840]: list trusted domains
ads: trusted_domains
Added domain <parent domain> S-1-5-21-1202660629-2025429265-725345543
Added domain <peer domain> S-0-0-0
Added domain <peer domain> S-0-0-0
Added domain <peer domain> S-0-0-0
Added domain <peer domain> S-0-0-0
Added domain <peer domain> S-0-0-0
Added domain <peer domain> S-0-0-0
Added domain <peer domain> S-0-0-0
Added domain <peer domain> S-0-0-0
Added domain <peer domain> S-0-0-0
Added domain <peer domain> S-0-0-0
Added domain <peer domain> S-0-0-0
Added domain <peer domain> S-0-0-0
Added domain <peer domain> S-0-0-0





Anyone have any ideas?

Thanks in advance
--saul

More information about the samba mailing list