Hi Jerry, That kind of worked.
I do have another problem now though. wbinfo --domain=DOMAIN -u or wbinfo --domain=DOMAIN -g both timeout . Also, getent passwd eventually times out as well after displaying a massive list of users, although restricting it to a user works correctly - eg 'getent passwd 'Domain\User'. I can also assign AD permissions to the filesystem without problem. Winbindd -d3 gives me the following output when I type Wbinfo -u --domain=DOMAIN [2005/12/01 12:43:22, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(453) [ 0]: request interface version [2005/12/01 12:43:22, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(486) [ 0]: request location of privileged pipe [2005/12/01 12:43:22, 3] nsswitch/winbindd_user.c:winbindd_list_users(738) [ 0]: list users [2005/12/01 12:43:22, 3] nsswitch/winbindd_ads.c:query_user_list(164) ads: query_user_list [2005/12/01 12:44:32, 3] libads/ldap.c:ads_do_paged_search(519) ads_do_paged_search: ldap_search_with_timeout((objectClass=user)) -> Timed out [2005/12/01 12:44:33, 3] nsswitch/winbindd_ads.c:query_user_list(234) ads query_user_list gave 25000 entries [2005/12/01 12:45:01, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(453) [ 0]: request interface version [2005/12/01 12:48:32, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(453) [ 0]: request interface version [2005/12/01 12:48:32, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(486) [ 0]: request location of privileged pipe We have about 48000 users in our tree but 47000 of those are irrelevant to us. Our tree is also (mis)configured to have a replica of the entire tree on each server so while I think this has sorted most of our problems out, the ldap query just takes too long and it times out even on lan. I did put a parameter ldap timeout = 180 (3 minutes?) in smb.conf but it didn't seem to make any difference. Or, alternatively, if we can restrict the ldap searches to a particular OU then I'd expect that would bring our ldap search times down, although I don't know if ldap.conf has anything to with this particular problem. btw, if I don't specify --domain= wbinfo will still try and enumerate the other trusted domains and wbinfo -m will still list all the other domains we don't care about. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerald (Jerry) Carter Sent: Wednesday, 30 November 2005 2:43 AM To: Donald, Alan Cc: [email protected] Subject: Re: [Samba] unreachable trusted domains in enterprise environment -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Donald, Alan wrote: | Basically what we would like to do is ensure that | any ADS/Kerberos/LDAP traffic follow the 'sites and services' | definition we have setup. That is, the ADS/LDAP/Kerberos | traffic does not leave our office and only attempts to use | our local DC for any queries. We'd also like to ignore | (or use) a list of domains we specify. I did try setting | the password server, but I think it is only for | security = Domain type configurations (?). No. password server is used for 'security = ads' as well. If you don't want any of the trusted domains, you can set 'allow trusted domains = no'. That's about the best solution I can give you right now. You might also want to test 3.0.21rc1 as we've done some more winbindd improvemnts. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
