[Samba] samba-3.0.14a-2 auth against a very Large AD domain
Gerald (Jerry) Carter
jerry at samba.org
Wed Jan 11 22:27:09 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Norris, Brent wrote:
> The first problem is the really major one: I have two Fedora Core 4
> machines with all updates connected to the Windows AD. They seem to be
> working fine when people try to get access to the shares that they have. I
> was told by the domain admins that they are logging tons of Event ID 675 on
> the DC and tons of Event ID 672 on the GC from my two SAMBA machines.
> Looking these up they reference a Pre-Authentication issue with Kerberos.
> The bad part is that these are coming from the actual machines and not users
> accounts, so there is no way that I can turn off Pre-Authentication. I need
> to know what I can do to stop this error, because this is an unacceptable
> situation from their point of view.
Please try setting this in in /etc/krb5.conf.
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
> The second problem, I think, stems from the fact that we are such an odd
> configuration inside our forest. When I try to run wbinfo -g or wbinfo -p
> it just hangs and locks up winbind. I think it is because it is attempting
> to go out to the other domains and poll their accounts too. If I pass the
> option to wbinfo to limit it to just our domain, it returns in a timely
> manner. Unfortunately there doesn't seem to be a way to limit getent passwd
> to just my domain and there doesn't seem to be a way to just tell winbind to
> limit itself to my domain specifically. I don't need to reference anything
> from the other districts domains, I only want to use objects from mine.
> Does anyone know of a way to make this happen?
This should work.
winbind enum users = no
winbind enum groups = no
Alleviating the pain of Windows(tm) ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"There's an anonymous coward in all of us." --anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba