[Samba] samba-3.0.14a-2 auth against a very Large AD domain

Gerald (Jerry) Carter jerry at samba.org
Wed Jan 11 22:27:09 GMT 2006

Hash: SHA1

Norris, Brent wrote:

> The first problem is the really major one:  I have two Fedora Core 4
> machines with all updates connected to the Windows AD.  They seem to be
> working fine when people try to get access to the shares that they have.  I
> was told by the domain admins that they are logging tons of Event ID 675 on
> the DC and tons of Event ID 672 on the GC from my two SAMBA machines.
> Looking these up they reference a Pre-Authentication issue with Kerberos.
> The bad part is that these are coming from the actual machines and not users
> accounts, so there is no way that I can turn off Pre-Authentication.  I need
> to know what I can do to stop this error, because this is an unacceptable
> situation from their point of view.

Please try setting this in in /etc/krb5.conf.

 default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC

> The second problem, I think, stems from the fact that we are such an odd
> configuration inside our forest.  When I try to run wbinfo -g or wbinfo -p
> it just hangs and locks up winbind.  I think it is because it is attempting
> to go out to the other domains and poll their accounts too.  If I pass the
> option to wbinfo to limit it to just our domain, it returns in a timely
> manner.  Unfortunately there doesn't seem to be a way to limit getent passwd
> to just my domain and there doesn't seem to be a way to just tell winbind to
> limit itself to my domain specifically.  I don't need to reference anything
> from the other districts domains, I only want to use objects from mine.
> Does anyone know of a way to make this happen?

This should work.

	winbind enum users = no
	winbind enum groups = no

cheers, jerry
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"There's an anonymous coward in all of us."               --anonymous
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the samba mailing list