Trying to set up a linux server to authenticate users on the corporate active directory we're facing a problem. We're using SAMBA, winbind, krb5 and PAM.
The problem arises when trying to list users from the system. winbind tries to look them up in all the trusted domains from the company branches. As they cannot be accessed from the linux server we get a timeout.
How can we tell samba or winbind to only look for users in the parent domain and avoid the rest?
We want users from company.com but not from branch1.comapny.com.
EDIT:
SAMBA version is 3.0.33 on RH4.
It sounds like this functionality regressed from Samba prior to 3.0.26. A patch was proposed and it was re-added to Samba 3.3.
If you're prepared to patch Samba's source code yourself, there is an "only domains" patch, which is the inverse of "ignore domains".
You could add this option to smb.conf :
I actually have this setup on my Ubuntu workstation in the office so I don't have to use Windows but still authenticate off the domains AD. We have several domains that are trusted so I limited it down to our main AD domain used for workstation logins. I believe I have found all the relevant entries so if you have trouble let me know and I'll hunt for other stragglers that may be scattered in the config.
Of other note, I had to be sure that Samba and Winbind were nearly last to be started in order to be able to authenticate after the system was rebooted.