[Samba] How to restrict winbindd to access trusted domains objects.
Dmitry
mitroko at gmail.com
Tue May 27 12:37:50 GMT 2008
Greetings.
I've already done with question at
http://lists-archives.org/samba/37558-winbindd-hangs-up-while-retreiving-usernames.html
and made decision, that winbindd tries to get users and groups in trusted
domains.
We have tree different domains in their forests, connected by trusted
relationships:
CITY-XXI.INT < - > DEP2.CITY-XXI.INT
DEP2.CITY-XXI.INT < - > ALL.INT
CITY-XXI.INT < - > ALL.INT
In my smb.conf I use
allow trusted domains = No
key to restrict samba reading foreign domain objects, but
wbinfo -u returns list of users from my domain(DEP2.CITY-XXI.INT) and
another domain (CITY-XXI)
wbinfo -g does the same
and finaly wbinfo -r hangs up retreiving groups for given user, trying to
reach and read objects in ALL.INT and CITY-XXI.INT domains.
What configuration should I provide to samba to limit it in it's own domain
(ONLY DEP2) and prohibit any tries to resolve foreign (even trusted) DC's
etc...
My current samba ver: 3.0.23c_2,1 (port-build)
My OS ver: FreeBSD 6.2-REL
My current smb.conf:
Load smb config files from /usr/local/etc/smb.conf
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
[global]
workgroup = DEP2
realm = DEP2.CITY-XXI.INT
server string = SZRouter.DEP2.CITY-XXI.INT
interfaces = 10.1.9.0/24
security = ADS
auth methods = winbind
allow trusted domains = No
password server = City2.dep2.city-xxi.int
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log file = /var/log/samba/log.%m
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
os level = 0
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind cache time = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
hosts allow = 10.1.9., 127.
Thank you!
Dzmitry Stremkouski.
More information about the samba
mailing list