samba - Nov 2005 - unreachable trusted domains in enterprise environment

Hi All

We have quite a complex enterprise environment which includes a global
domain and lots of little asteroid domains all trusted by the central
domain. We have (imaginatively) called this central domain ENTERPRISE.

I have configured samba to be an ADS member server successfully, but due
to our network design many of the asteroid domains's DC's are
uncontactable from our regional office. Additionally, many of the
ENTERPRISE domain DC's are also uncontactable (but this does not cause
us any problem, since all of our DC's have a replica of the entire AD
tree - yes I know this is stupid). 

Basically what we would like to do is ensure that any ADS/Kerberos/LDAP
traffic follow the 'sites and services' definition we have setup. That
is, the ADS/LDAP/Kerberos traffic does not leave our office and only
attempts to use our local DC for any queries. We'd also like to ignore
(or use) a list of domains we specify. I did try setting the password
server, but I think it is only for security = Domain type configurations
(?).

Anyways, I can't see any options in smb.conf or other places that might
have this type of configuration.. As an ugly kludge I did try to delete
the default gateway so any requests to remote dc's get failed instantly
(our DC is on the same subnet as our samba server) but it didn't make
much difference.

Any help would be greatly appreciated.

Alan

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Donald, Alan wrote:

| Basically what we would like to do is ensure that
| any ADS/Kerberos/LDAP traffic follow the 'sites and services'
| definition we have setup. That is, the ADS/LDAP/Kerberos
| traffic does not leave our office and only attempts to use
| our local DC for any queries. We'd also like to ignore
| (or use) a list of domains we specify. I did try setting
| the password server, but I think it is only for
| security = Domain type configurations (?).

No.  password server is used for 'security = ads' as well.

If you don't want any of the trusted domains, you can
set 'allow trusted domains = no'.  That's about the best
solution I can give you right now.

You might also want to test 3.0.21rc1 as we've done
some more winbindd improvemnts.








cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"There's an anonymous coward in all of us."              
--anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDjHbxIR7qMdg1EfYRAhJ1AKCOl8W7B+8V6fpF3FPXR0qG8TOsiQCgh1kF
X9p/JombMR01WYYWDAI4gZk=A7vr
-----END PGP SIGNATURE-----

Hi Jerry,

That kind of worked. 

I do have another problem now though.  wbinfo --domain=DOMAIN -u or
wbinfo --domain=DOMAIN -g both timeout . Also, getent passwd eventually
times out as well after displaying a massive list of users, although
restricting it to a user works correctly - eg 'getent passwd
'Domain\User'. I can also assign AD permissions to the filesystem
without problem. 

Winbindd -d3 gives me the following output when I type Wbinfo -u
--domain=DOMAIN

[2005/12/01 12:43:22, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(453)
  [    0]: request interface version
[2005/12/01 12:43:22, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(486)
  [    0]: request location of privileged pipe
[2005/12/01 12:43:22, 3]
nsswitch/winbindd_user.c:winbindd_list_users(738)
  [    0]: list users
[2005/12/01 12:43:22, 3] nsswitch/winbindd_ads.c:query_user_list(164)
  ads: query_user_list
[2005/12/01 12:44:32, 3] libads/ldap.c:ads_do_paged_search(519)
  ads_do_paged_search: ldap_search_with_timeout((objectClass=user)) ->
Timed out
[2005/12/01 12:44:33, 3] nsswitch/winbindd_ads.c:query_user_list(234)
  ads query_user_list gave 25000 entries
[2005/12/01 12:45:01, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(453)
  [    0]: request interface version
[2005/12/01 12:48:32, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(453)
  [    0]: request interface version
[2005/12/01 12:48:32, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(486)
  [    0]: request location of privileged pipe

We have about 48000 users in our tree but 47000 of those are irrelevant
to us. Our tree is also (mis)configured to have a replica of the entire
tree on each server so while I think this has sorted most of our
problems out, the ldap query just takes too long and it times out even
on lan.

I did put a parameter ldap timeout = 180 (3 minutes?) in smb.conf but it
didn't seem to make any difference. 

Or, alternatively, if we can restrict the ldap searches to a particular
OU then I'd expect that would bring our ldap search times down, although
I don't know if ldap.conf has anything to with this particular problem.


btw, if I don't specify --domain= wbinfo will still try and enumerate
the other trusted domains and wbinfo -m will still list all the other
domains we don't care about. 


-----Original Message-----
From: samba-bounces+adonald=acnielsen.com.au@lists.samba.org
[mailto:samba-bounces+adonald=acnielsen.com.au@lists.samba.org] On
Behalf Of Gerald (Jerry) Carter
Sent: Wednesday, 30 November 2005 2:43 AM
To: Donald, Alan
Cc: samba@lists.samba.org
Subject: Re: [Samba] unreachable trusted domains in enterprise
environment

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Donald, Alan wrote:

| Basically what we would like to do is ensure that
| any ADS/Kerberos/LDAP traffic follow the 'sites and services'
| definition we have setup. That is, the ADS/LDAP/Kerberos
| traffic does not leave our office and only attempts to use
| our local DC for any queries. We'd also like to ignore
| (or use) a list of domains we specify. I did try setting
| the password server, but I think it is only for
| security = Domain type configurations (?).

No.  password server is used for 'security = ads' as well.

If you don't want any of the trusted domains, you can
set 'allow trusted domains = no'.  That's about the best
solution I can give you right now.

You might also want to test 3.0.21rc1 as we've done
some more winbindd improvemnts.