samba - Jan 2006 - samba-3.0.14a-2 auth against a very Large AD domain

I have setup SAMBA to authenticate to a 2003 (probably SP1) domain and I am
having two very distinct problems.  I have searched the archives, but each
time I see this question is ask I never see any answers and I need an answer
or I am going to have to shut this off.

I work in the Kentucky school systems and we have one AD forest containing
one domain for each county in the state.  That totals up to 180 domains
inside one forest.  I don't have any access to the Domain Controller or the
Global Catalog server in our network.  That is managed by a state agency.

The first problem is the really major one:  I have two Fedora Core 4
machines with all updates connected to the Windows AD.  They seem to be
working fine when people try to get access to the shares that they have.  I
was told by the domain admins that they are logging tons of Event ID 675 on
the DC and tons of Event ID 672 on the GC from my two SAMBA machines.
Looking these up they reference a Pre-Authentication issue with Kerberos.
The bad part is that these are coming from the actual machines and not users
accounts, so there is no way that I can turn off Pre-Authentication.  I need
to know what I can do to stop this error, because this is an unacceptable
situation from their point of view.

The second problem, I think, stems from the fact that we are such an odd
configuration inside our forest.  When I try to run wbinfo -g or wbinfo -p
it just hangs and locks up winbind.  I think it is because it is attempting
to go out to the other domains and poll their accounts too.  If I pass the
option to wbinfo to limit it to just our domain, it returns in a timely
manner.  Unfortunately there doesn't seem to be a way to limit getent passwd
to just my domain and there doesn't seem to be a way to just tell winbind to
limit itself to my domain specifically.  I don't need to reference anything
from the other districts domains, I only want to use objects from mine.
Does anyone know of a way to make this happen?

Thanks for any help you can give me, this is a pressing matter for me.

Brent Norris
Network Administrator, Edmonson County Schools

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Norris, Brent wrote:
> The first problem is the really major one:  I have two Fedora Core 4
> machines with all updates connected to the Windows AD.  They seem to be
> working fine when people try to get access to the shares that they have.  I
> was told by the domain admins that they are logging tons of Event ID 675 on
> the DC and tons of Event ID 672 on the GC from my two SAMBA machines.
> Looking these up they reference a Pre-Authentication issue with Kerberos.
> The bad part is that these are coming from the actual machines and not
users
> accounts, so there is no way that I can turn off Pre-Authentication.  I
need
> to know what I can do to stop this error, because this is an unacceptable
> situation from their point of view.
Please try setting this in in /etc/krb5.conf.

[libdefaults]
 default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC



> The second problem, I think, stems from the fact that we are such an odd
> configuration inside our forest.  When I try to run wbinfo -g or wbinfo -p
> it just hangs and locks up winbind.  I think it is because it is attempting
> to go out to the other domains and poll their accounts too.  If I pass the
> option to wbinfo to limit it to just our domain, it returns in a timely
> manner.  Unfortunately there doesn't seem to be a way to limit getent
passwd
> to just my domain and there doesn't seem to be a way to just tell
winbind to
> limit itself to my domain specifically.  I don't need to reference
anything
> from the other districts domains, I only want to use objects from mine.
> Does anyone know of a way to make this happen?
This should work.

	winbind enum users = no
	winbind enum groups = no







cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"There's an anonymous coward in all of us."              
--anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDxYY9IR7qMdg1EfYRAuIbAJ0Xge4+jAb31Ig8B79wLCbhnZ5HbwCg2H8E
tP6UwOcdAaWrgdd1ovHb51g=Cmaj
-----END PGP SIGNATURE-----