RE: [Samba] unreachable trusted domains in enterprise environment

Hi Jerry,

That kind of worked.=20

I do have another problem now though. wbinfo --domain=3DDOMAIN -u or
wbinfo --domain=3DDOMAIN -g both timeout . Also, getent passwd =
eventually
times out as well after displaying a massive list of users, although
restricting it to a user works correctly - eg 'getent passwd
'Domain\User'. I can also assign AD permissions to the filesystem
without problem.=20

Winbindd -d3 gives me the following output when I type Wbinfo -u
--domain=3DDOMAIN

[2005/12/01 12:43:22, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(453)
[ 0]: request interface version
[2005/12/01 12:43:22, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(486)
[ 0]: request location of privileged pipe
[2005/12/01 12:43:22, 3]
nsswitch/winbindd_user.c:winbindd_list_users(738)
[ 0]: list users
[2005/12/01 12:43:22, 3] nsswitch/winbindd_ads.c:query_user_list(164)
ads: query_user_list
[2005/12/01 12:44:32, 3] libads/ldap.c:ads_do_paged_search(519)
ads_do_paged_search: ldap_search_with_timeout((objectClass=3Duser)) ->
Timed out
[2005/12/01 12:44:33, 3] nsswitch/winbindd_ads.c:query_user_list(234)
ads query_user_list gave 25000 entries
[2005/12/01 12:45:01, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(453)
[ 0]: request interface version
[2005/12/01 12:48:32, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(453)
[ 0]: request interface version
[2005/12/01 12:48:32, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(486)
[ 0]: request location of privileged pipe

We have about 48000 users in our tree but 47000 of those are irrelevant
to us. Our tree is also (mis)configured to have a replica of the entire
tree on each server so while I think this has sorted most of our
problems out, the ldap query just takes too long and it times out even
on lan.

I did put a parameter ldap timeout =3D 180 (3 minutes?) in smb.conf but =
it
didn't seem to make any difference.=20

Or, alternatively, if we can restrict the ldap searches to a particular
OU then I'd expect that would bring our ldap search times down, although
I don't know if ldap.conf has anything to with this particular problem.


btw, if I don't specify --domain=3D wbinfo will still try and enumerate
the other trusted domains and wbinfo -m will still list all the other
domains we don't care about.=20


-----Original Message-----
From: samba-bounces+adonald=3Dacnielsen.com.au@lists.samba.org
[mailto:samba-bounces+adonald=3Dacnielsen.com.au@lists.samba.org] On
Behalf Of Gerald (Jerry) Carter
Sent: Wednesday, 30 November 2005 2:43 AM
To: Donald, Alan
Cc: samba@lists.samba.org
Subject: Re: [Samba] unreachable trusted domains in enterprise
environment

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Donald, Alan wrote:

| Basically what we would like to do is ensure that
| any ADS/Kerberos/LDAP traffic follow the 'sites and services'
| definition we have setup. That is, the ADS/LDAP/Kerberos
| traffic does not leave our office and only attempts to use
| our local DC for any queries. We'd also like to ignore
| (or use) a list of domains we specify. I did try setting
| the password server, but I think it is only for
| security =3D Domain type configurations (?).

No. password server is used for 'security =3D ads' as well.

If you don't want any of the trusted domains, you can
set 'allow trusted domains =3D no'. That's about the best
solution I can give you right now.

You might also want to test 3.0.21rc1 as we've done
some more winbindd improvemnts.





--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba