Roman Rathler
2004-Jun-16 10:36 UTC
[Samba] Winbind in ADS forrest hangs when not able to talk to other DCs
Hi There,
we have a winbind installation here that is used for squid authentication and
group resolving. the winbind server is part of the domain ch.domain.intern. the
ads forrest is organized like
domain.intern
ch.domain.intern at.domain.intern fr.domain.intern
and other sites will follow. authentication and group resolving works actually
fine, BUT: if the link to at or fr is down winbind hangs!!! first of all: why
does winbind try to connect to at or fr domain controllers, because there is no
information for winbind on these servers? how can I keep winbind away from
trying to connect to these domain controllers?
my smb.conf:
[global]
workgroup = CHDOM01
server string = proxy
client use spnego = yes
load printers = no
idmap uid = 10000-20000
idmap gid = 10000-20000
# winbind separator = +
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes
log file = /var/log/samba/%m.log
max log size = 50
security = ads
realm = ch.domain.intern
password server = wsvch01 wsvch02
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = CH.DOMAIN.INTERN
# default_tgs_enctypes = des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
CH.DOMAIN.INTERN = {
kdc = wsvch01.ch.domain.intern:88
default_domain = ch.domain.intern
}
[domain_realm]
.ch.domain.intern = CH.DOMAIN.INTERN
ch.domain.intern = CH.DOMAIN.INTERN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
any suggestions?
thnx in advance
best regards,
roman
Roman Rathler
2004-Jun-16 10:40 UTC
[Samba] Winbind in ADS forrest hangs when not able to talk to other DCs
Hi There,
we have a winbind installation here that is used for squid
authentication and group resolving. the winbind server is part of the
domain ch.domain.intern. the ads forrest is organized like
domain.intern
ch.domain.intern at.domain.intern fr.domain.intern
and other sites will follow. authentication and group resolving works
actually fine, BUT: if the link to at or fr is down winbind hangs!!!
first of all: why does winbind try to connect to at or fr domain
controllers, because there is no information for winbind on these
servers? how can I keep winbind away from trying to connect to these
domain controllers?
my smb.conf:
[global]
workgroup = CHDOM01
server string = proxy
client use spnego = yes
load printers = no
idmap uid = 10000-20000
idmap gid = 10000-20000
# winbind separator = +
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes
log file = /var/log/samba/%m.log
max log size = 50
security = ads
realm = ch.domain.intern
password server = wsvch01 wsvch02
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = CH.DOMAIN.INTERN
# default_tgs_enctypes = des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
CH.DOMAIN.INTERN = {
kdc = wsvch01.ch.domain.intern:88
default_domain = ch.domain.intern
}
[domain_realm]
.ch.domain.intern = CH.DOMAIN.INTERN
ch.domain.intern = CH.DOMAIN.INTERN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
any suggestions?
thnx in advance
best regards,
roman
Roman Rathler
2004-Aug-12 14:09 UTC
[Samba] Still: Winbind in ADS forrest hangs when not able to talk to other DCs
Hey,
we still fight with this problem... I cannot believe that there is noone out
there having a clue...
cheers.Roman
Begin forwarded Message from Roman Rathler,
Wed, 16 Jun 2004 12:36:28 +0200 (METDST):
Hi There,
we have a winbind installation here that is used for squid
authentication and group resolving. the winbind server is part of the
domain ch.domain.intern. the ads forrest is organized like
domain.intern
ch.domain.intern at.domain.intern fr.domain.intern
and other sites will follow. authentication and group resolving works
actually fine, BUT: if the link to at or fr is down winbind hangs!!!
first of all: why does winbind try to connect to at or fr domain
controllers, because there is no information for winbind on these
servers? how can I keep winbind away from trying to connect to these
domain controllers?
my smb.conf:
[global]
workgroup = CHDOM01
server string = proxy
client use spnego = yes
load printers = no
idmap uid = 10000-20000
idmap gid = 10000-20000
# winbind separator = +
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes
log file = /var/log/samba/%m.log
max log size = 50
security = ads
realm = ch.domain.intern
password server = wsvch01 wsvch02
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = CH.DOMAIN.INTERN
# default_tgs_enctypes = des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
CH.DOMAIN.INTERN = {
kdc = wsvch01.ch.domain.intern:88
default_domain = ch.domain.intern
}
[domain_realm]
.ch.domain.intern = CH.DOMAIN.INTERN
ch.domain.intern = CH.DOMAIN.INTERN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
any suggestions?
thnx in advance
best regards,
roman