Dmitry
2008-May-27 12:38 UTC
[Samba] How to restrict winbindd to access trusted domains objects.
Greetings.
I've already done with question at
http://lists-archives.org/samba/37558-winbindd-hangs-up-while-retreiving-usernames.html
and made decision, that winbindd tries to get users and groups in trusted
domains.
We have tree different domains in their forests, connected by trusted
relationships:
CITY-XXI.INT < - > DEP2.CITY-XXI.INT
DEP2.CITY-XXI.INT < - > ALL.INT
CITY-XXI.INT < - > ALL.INT
In my smb.conf I use
allow trusted domains = No
key to restrict samba reading foreign domain objects, but
wbinfo -u returns list of users from my domain(DEP2.CITY-XXI.INT) and
another domain (CITY-XXI)
wbinfo -g does the same
and finaly wbinfo -r hangs up retreiving groups for given user, trying to
reach and read objects in ALL.INT and CITY-XXI.INT domains.
What configuration should I provide to samba to limit it in it's own domain
(ONLY DEP2) and prohibit any tries to resolve foreign (even trusted) DC's
etc...
My current samba ver: 3.0.23c_2,1 (port-build)
My OS ver: FreeBSD 6.2-REL
My current smb.conf:
Load smb config files from /usr/local/etc/smb.conf
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
[global]
workgroup = DEP2
realm = DEP2.CITY-XXI.INT
server string = SZRouter.DEP2.CITY-XXI.INT
interfaces = 10.1.9.0/24
security = ADS
auth methods = winbind
allow trusted domains = No
password server = City2.dep2.city-xxi.int
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log file = /var/log/samba/log.%m
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
os level = 0
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind cache time = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
hosts allow = 10.1.9., 127.
Thank you!
Dzmitry Stremkouski.
Gerald (Jerry) Carter
2008-May-27 12:54 UTC
[Samba] How to restrict winbindd to access trusted domains objects.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dmitry wrote: | What configuration should I provide to samba to limit | it in it's own domain (ONLY DEP2) and prohibit any | tries to resolve foreign (even trusted) DC's | etc... | | My current samba ver: 3.0.23c_2,1 (port-build) | My OS ver: FreeBSD 6.2-REL | My current smb.conf: | Load smb config files from /usr/local/etc/smb.conf | Loaded services file OK. | 'winbind separator = +' might cause problems with group membership. | Server role: ROLE_DOMAIN_MEMBER | [global] | workgroup = DEP2 | realm = DEP2.CITY-XXI.INT | server string = SZRouter.DEP2.CITY-XXI.INT | interfaces = 10.1.9.0/24 | security = ADS | auth methods = winbind ~ ^^^^^^^^^^^^^^^^^^^^^^ don't ever set this. | allow trusted domains = No ~ ^^^^^^^^^^^^^^^^^^^^^^^^^^ This should be enough but I do remember a bug regarding that parameter. Would you mind giving 3.0.29 a try and see if my memory id correct and the bug has been fixed. cheers, jerry - -- ====================================================================Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIPARrIR7qMdg1EfYRAudWAKDJequJ5XHYHTWGreoWTH/XoOLTcACg19EF RvH763H9RLnK/JpA3a0WZw8=yDuw -----END PGP SIGNATURE-----