[Samba] samba-3.0.14a-2 auth against a very Large AD domain

Norris, Brent bnorris at Edmonson.k12.ky.us
Wed Jan 11 14:12:34 GMT 2006 

I have setup SAMBA to authenticate to a 2003 (probably SP1) domain and I am
having two very distinct problems.  I have searched the archives, but each
time I see this question is ask I never see any answers and I need an answer
or I am going to have to shut this off.

I work in the Kentucky school systems and we have one AD forest containing
one domain for each county in the state.  That totals up to 180 domains
inside one forest.  I don't have any access to the Domain Controller or the
Global Catalog server in our network.  That is managed by a state agency.

The first problem is the really major one:  I have two Fedora Core 4
machines with all updates connected to the Windows AD.  They seem to be
working fine when people try to get access to the shares that they have.  I
was told by the domain admins that they are logging tons of Event ID 675 on
the DC and tons of Event ID 672 on the GC from my two SAMBA machines.
Looking these up they reference a Pre-Authentication issue with Kerberos.
The bad part is that these are coming from the actual machines and not users
accounts, so there is no way that I can turn off Pre-Authentication.  I need
to know what I can do to stop this error, because this is an unacceptable
situation from their point of view.

The second problem, I think, stems from the fact that we are such an odd
configuration inside our forest.  When I try to run wbinfo -g or wbinfo -p
it just hangs and locks up winbind.  I think it is because it is attempting
to go out to the other domains and poll their accounts too.  If I pass the
option to wbinfo to limit it to just our domain, it returns in a timely
manner.  Unfortunately there doesn't seem to be a way to limit getent passwd
to just my domain and there doesn't seem to be a way to just tell winbind to
limit itself to my domain specifically.  I don't need to reference anything
from the other districts domains, I only want to use objects from mine.
Does anyone know of a way to make this happen?

Thanks for any help you can give me, this is a pressing matter for me.

Brent Norris
Network Administrator, Edmonson County Schools

More information about the samba mailing list