[Samba] _Truly_ disabling trusted domains?

Michael Adam obnox at samba.org
Mon Dec 22 10:25:40 GMT 2008

Hi Nick,

Nick wrote:
> Is there a way to completely disable trusted domains in samba/winbind?  Some
> of the trusted domains are inaccessible to the client machines, which causes
> winbind not to work due to all the timeouts/errors.  I tried setting "allow
> trusted domains = no", but when looking at the debug logs it's obvious that
> winbind is still trying to look them up.  It appears that winbind doesn't
> respect the "allow trusted domains" at all.

Hmmm, you are right: The manual page seems to promise too much
in the description of "allow trusted domain". In fact looking at
the code, it is a smbd-only option. It prevents smbd to perform
explicit requests (like authentication) for trusted domains, but
it does not prevent winbind from walking the list of trusted domains
and trying to establish a connection to each of them (for instance
when enumating users).

> Does anyone know how to do this?  From my observations it appears that this
> is a bug.  I was going to file a bug report, however I wanted to make sure I
> did all my research first to see if I'm missing something.

It would be great if you could file a bug at https://bugzilla.samba.org/
Either the manpage or the code has to be fixed!

Here is the solution for your setup:

Recent versions of samba (3.2.6 for sure) have an config option

  "winbind:ignore domains = <list>"

that effectively prevents winbindd from contacting the listed
domains. This was introduced exactly to prevent winbindd on
timing out on attempts to contact unreachable domains.

Cheers - Michael

Michael Adam <ma at sernet.de>  <obnox at samba.org>
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.SerNet.DE, mailto: Info @ SerNet.DE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20081222/0c40c042/attachment.bin

More information about the samba mailing list