[Samba] How to stop winbind client connecting to trusted DC

Ryan Ho tsun.ho at outlook.com
Mon Dec 1 06:59:02 MST 2014


Hi All,

Wonder is someone can help?

We have mixed windows & Linux boxes in DomA network.   Afaik all DomA clients are blocked and direct connection to DomB are not possible by design & for security.

DomA DC(Windows) -- trust --> DomB DC(Windows)
^
|
DomA Linux Client(DALC) winbind Samba 3.0.33

For some reason DomA Linux Client attempts ldap connection to all DomB DC once in 5 to 10 minutes.  When that happens it halts application & commands in ssh sessions.  e.g. ls -l, wbinfo -i <username> hangs for upto a minute or two.  DomB have 9 DCs at various locations. I can see it's trying to connect to the 9 hosts in turn.  Attempt connection, blocked, wait for timeout I assume then try next host. 

This causes major issues for the Linux boxes.  I can see this by tcpdump.  When it attempts  ldap connection to DomB.  Any samba lookup(e.g. wbinfo -i, ls -l) would hang for one to two minutes every time.

There's no DomB settings mentioned in the Linux client configs but somehow it knows DomB is there and try to connect by ldap.

Linux clients in DomA do not need to authenticate against DomB.  It need to authenticate against DomA only.

How can I make DomA Linux client stop connecting to DomB ldap or eliminate the hang/delay totally?

DomA Windows client boxes seems to be able authenticate DomB users accounts with out the direct connection to DomB.  The Windows DC and Windows clients works fine.  Do not want to touch those.

Any help is highly appreciated.

Many thanks.

Ryan.
 		 	   		  


More information about the samba mailing list