[Samba] Restricting to a subset of the domain controllers on a site

Wayne Rasmussen Wayne at gomonarch.com
Wed May 30 18:08:03 GMT 2007 

 

>What version of Samba are you running?

 

We are running samba-3.0.10 on Solaris 9.

 

> How are they enforcing this requirement on the Windows

> clients?  Using AD Sites top group DCs?

Their Answer:

 

Those other servers, while part of the domain are part of a separate
site used for exchange services.  They referred to the following links:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/directory/activedirectory/stepbystep/adsrv.mspx 

http://technet.microsoft.com/en-us/library/bb124367.aspx

 

So when the server boots and runs:

/usr/local/bin/kinit  IL02mcs at sanatized

/usr/local/samba/bin/net ads join

What determines which DCs are granting tickets/authenticating?
/etc/krb5.conf doesn't seem to be the limiting factor as in this case we
got machines not in krb5.conf.

 

They are basically telling us that samba needs to limit which DCs it is
using for lookup.  This seems counter intuitive to me.

 

 

 

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry at samba.org] 
Sent: Wednesday, May 30, 2007 5:36 AM
To: Wayne Rasmussen
Cc: samba at lists.samba.org
Subject: Re: [Samba] Restricting to a subset of the domain controllers
on a site

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

Wayne Rasmussen wrote:

 

> They are telling us that we must restrict to only 

> authenticating to the domain controllers: DC1a DC2a

> DC3a DC4a

 

What version of Samba are you running?

 

 

> Is there a way to do this?  Is their request unreasonable?

 

How are they enforcing this requirement on the Windows

clients?  Using AD Sites top group DCs?

 

 

 

 

 

 

cheers, jerry

=====================================================================

Samba                                    ------- http://www.samba.org

Centeris                         -----------  http://www.centeris.com

"What man is a man who does not make the world better?"      --Balian

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.6 (GNU/Linux)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

 

iD8DBQFGXW/DIR7qMdg1EfYRAp5SAJ9k0cpWsNRA6Itf3kDkx5CN4by++QCdHnqj

Hx0OJr/mJOvgvnHEmoXi0YY=

=FUhH

-----END PGP SIGNATURE-----

More information about the samba mailing list