Linux

You can either disable all trusted domains or certain/specific trusted domains.

Winbind will only allow users to use SMB if they can authenticate into the samba server with a user that is in one of trusted domain; you can have winbind ignore certain domains so you can shrink that allowable user list. That means that only users of the domain that you joined the samba server to can use smb (and also the users that belong to any unignored trusted domains). This is useful in big firms that have tens of thousands (or more) users spanning multiple trusted domains – ideally only some of those domains will ever be using the samba server. So its wise to disable the domains that are not going to be using the samba server.

Login to a samba server. And edit the /etc/smb.conf under the [global] section.
To disable all trusted domains: Only users of the domain you joined can use samba

allow trusted domains = no
To disable specific trusted domains: All of the users in the entire domain minus the users from domains you ignore will be able to use samba
winbind:ignore domains = DOMAIN1 DOMAIN2

where DOMAIN1 and DOMAIN2 are trusted domains that you want to remove (untrust/disable). you can disable 1 domain like this

winbind:ignore domains = DOMAIN1

Or you can untrust 4 domains like this

winbind:ignore domains = DOMAIN1 DOMAIN2 DOMAIN3 DOMAIN4

You just have to separate them with a space. You can have many domains (im not sure if there is a limit, in this article someone blocked 13 domains https://lists.samba.org/archive/samba/2009-July/149577.html and everything worked)

You can check which trusted domains exist and which are online (not ignored) and which are offline (ignored, i guess they might be offline for other reasons as well)

[koss01]# wbinfo --online-status
BUILTIN : online
KOSS01 : online
NIM10 : online

Note that NIM10 is the domain I joined to and its online. This is a bad example as I dont have trusted domain, and I dont have any disabled. But essentially you would see it here (although the output of wbinfo –online-status might be buggy I hear, so its probably best to test using regular authentication via samba)

Dont forget to restart winbind and samba afterwards.

Leave a Reply

Your email address will not be published. Required fields are marked *