samba - Sep 2003 - FW: Samba 2.2.8a / Winbind and Domains

I originally sent this to samba-technical which as a typical first stpe for
me was probably wrong.... ;-)
Anyone here have any ideas?

-----Original Message-----
From: Petty, Robert [mailto:rpetty@denvernewspaperagency.com]
Sent: Tuesday, September 23, 2003 10:07 AM
To: samba-technical@lists.samba.org
Subject: Samba 2.2.8a / Winbind and Domains


I have searched the archived through google and found only a few
suggestions, a couple of which suggested this mailing list so I am posting
here hoping I won't offend anyone...

We have an NT domain which is part of a corporate network with trusts
established to other domains in the corporation.  I have added winbind to my
samba configuration on a Solaris 9 server.  We've been using samba for
years, but this is the first implementation of Winbind.  I am including the
global configuration information below.  I join a single domain (den1), but
winbind add the other trusted domains (cal1,production).  When I access
shares, I can see with winbind in debug mode that it tries all addresses
provided by our wins server for the domain "cal1" before going to even
the specific domain provided in the username..  Unfortunately it takes
about ten or twelve seconds to get through all 5 addresses which are
provided.  I added "cal1" to my lmhosts file for samba and winbind is
getting the single address for it (127.0.0.1) but still, cal1 is being
queried even though the username in the challenge is "den1\pettyr".

So here are my questions:

1) Can I override and prohibit the querying of trusted domains and limit the
queries to the domain which winbind is a member of?
2) Can I increase the time that a challenge is valid?  Right now, if I
remain inactive for around ten seconds, the next access to any shares
requires a revalidation via winbind.  This is time consuming and very
frusterating.


My smb.conf:

[global]
        workgroup = DEN1
        netbios name = classfs
        interface = classfs
        interfaces = classfs/255.255.255.0
        bind interfaces only = Yes
        security = domain
        encrypt passwords = Yes
        password server = *
        server string = Samba (%v) domain (%h)
        template homedir = /usr/local/samba/home/%D/%U
        lock dir = /dna/samba/locks
        pid directory = /dna/samba/var/locks
        log file = /var/opt/samba/smb.log
        wins server = 10.39.9.1 10.39.10.1
        winbind uid = 19000-21000
        winbind gid = 19000-19000
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = true
        allow trusted domains = no
        keepalive = 300


Thanks in advance for any suggestions!

Robert

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Petty, Robert wrote:

| 1) Can I override and prohibit the querying of trusted domains and
limit the
| queries to the domain which winbind is a member of?

I would need to see the winbindd log file to understand
why it is contacting the other domains.  Can you send me
a level 10 debug log for winbindd off list?

| 2) Can I increase the time that a challenge is valid?  Right now, if I
| remain inactive for around ten seconds, the next access to any shares
| requires a revalidation via winbind.  This is time consuming and very
| frusterating.

Try

~  winbind cache time = 600

| [global]
|         workgroup = DEN1
|         netbios name = classfs
|         interface = classfs
|         interfaces = classfs/255.255.255.0
|         bind interfaces only = Yes
|         security = domain
|         encrypt passwords = Yes
|         password server = *
|         server string = Samba (%v) domain (%h)
|         template homedir = /usr/local/samba/home/%D/%U
|         lock dir = /dna/samba/locks
|         pid directory = /dna/samba/var/locks
|         log file = /var/opt/samba/smb.log
|         wins server = 10.39.9.1 10.39.10.1

2.2.x will only work correctly with one wins server.
3.0 support multiple WINS servers.

|         winbind uid = 19000-21000
|         winbind gid = 19000-19000
|         winbind enum users = yes
|         winbind enum groups = yes
|         winbind use default domain = true
|         allow trusted domains = no
|         keepalive = 300



~ ----------------------------------------------------------------------
~ Hewlett-Packard            ------------------------- http://www.hp.com
~ SAMBA Team                 ---------------------- http://www.samba.org
~ GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
~ "You can never go home again, Oatman, but I guess you can shop
there."
~                            --John Cusack - "Grosse Point Blank"
(1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/ev1JIR7qMdg1EfYRAvCIAJ0Z0iVLmpfB6ydoIELIpZF92/70gACglyMt
iGAW+GMvGU3CwlUooxsYZKc=prsB
-----END PGP SIGNATURE-----