I have set up my system to allow the use of AD accounts to log on to this box (using SSH or on the local console) - I loosely followed instructions from:
http://www.ccs.neu.edu/home/battista...ind/index.html
In short - configure Kerberos, Samba/Winbind, nsswitch, join the AD domain, configure PAM.
It works most of the time - but at times it will just lock up with anything that has to do with AD communication - for about 5 minutes or so. Particularly, the command "wbinfo -g" or "wbinfo -u" after a reboot will trigger the lockup. But it will happen "on its own" once in awhile - and then I cannot use an AD account to log on.
Our company is a subsidiary of a global company based in Europe, and Active Directory resembles that organization. We in the US are only a subsidiary with an AD domain that links to the corporate root domain (they gave us quite a bit of autonomy). Corp have many other domains in AD.
Now when looking at Wireshark capture of what is happening while that 5 minute lockup is happening, I could see that the Linux box somehow gets the names of all domains and domain controllers in the global organization, and tries to open a TCP connection (port 445, maybe others) to virtually every domain controller in the world of my parent company - not only the headquarters but every subsidiary. This is not possible, because for many of those there are firewalls in place or routing is not set up, as it doesn't need to be - we only need to communicate with the corp office. Each of these attempts takes a bit to time out, and hence the lockup.
Trying to work around this, I tried many options in smb.conf, but no luck. In the end, I installed firehol, and set it up accept in/out to our local networks, and reject anything else both in and out, so that whatever service is doing that will not have to time out.
My firehol.conf:
Code:
interface any world
policy reject
server all accept src AA.AA.0.0/16
server all accept src BB.BB.0.0/16
client all accept dst AA.AA.0.0/16
client all accept dst BB.BB.0.0/16
- where AA.AA.0.0/16 and BB.BB.0.0/16 are the 2 internal networks in my company.
Additionally I removed broadcast from "name resolve order = lmhosts host wins bcast" - this did help a little bit.
Now it pretty much works well - the only lockup is if I run "wbinfo -g" or "wbinfo -u" within a few minutes after a reboot. Otherwise I can log on using AD accounts at any time with no delays, and even list the domain users or groups using "wbinfo -g" or "wbinfo -u" - just as long as it's not the first 5 or so minutes after startup.
So my question is: are there any options on Samba and/or Kerberos to say "look, I only care about our AD domain and nothing else, not even the root domain"? This firewall thing is a work around, not a solution...
Samba is version 3.2.5; libkrb53 is ver. 1.6.
Thanks in advance.
