We've got a samba server running in our DMZ. Our users drag & drop files on it for vendors. Everything was working perfectly until the powers that be decided to build a trust between a couple of internal domains.
Samba is now querying each server in the trust. When a user browses the directory on the mapped drive occasionally explorer will hang. The same holds true for a Unix user truing to list a directory.
After much digging, I found that the "hang" is occurring when the trusted servers are being queried. The directory listing won't show up until the queries are done. This is causing some grief for users and the scripts that run in the background.
Since the server is in the DMZ the trusted servers aren't reachable, nor are there routes back to it from these servers. So, even if I did allow the traffic, it wouldn't come back anyway.
This appears to be a winbind problem. There seems to be no problem with authentication. Only mapping Unix UID to a Windows user name.
Is there a way to stop samba from querying these servers, or limit it to just our local server? I've been through the man pages, scoured the Internet & tried several ideas that I found all to no avail.
Thanks for the reply. Unfortunately, allow trusted domains = no is already in the config file. It still tries to hit all the other servers. I increased the ldap timeout and it seems to be helping. It's not the answer, but it's a start.
It's not listing from all the domains. It IS trying to reach the other controllers. The problem is that there's no route to some of the servers and others there's no route back to the machine. Doing a tcpdump yields the following
From my samba machine in the DMZ to, and back from, the local AD server:
To other AD servers with insufficient routing:
There are 5 or so more remote AD servers from other domains that never come back for due to routing. During the time that it's attempting to query or connect with these servers file listings and such "hang" until the the local machine gives up.
Using the allow trusted domains = no parameter DOES limit the connection attempts to once every half an hour or so. Before that, it would try almost every time a directory listing or anything else that needed to tie a user name to an UID was attempted. It's not the fix, but it SURE helped.
The routing is something that will not be fixed. The other domains need not access nor communicate with our DMZ.
I think I've got at least a work around. I set samba to be the master browser on the local network. The only way I could get away with it is because it's on it's own network. Otherwise, I wouldn't have taken the chance interfering with our BDC.
Since making the change, there's been no attempts to contact servers other than our domain servers.