samba - Jun 2004 - use password server= when security=ADS or not???

Dear list,

I?m using samba 3.0.4 on a RHL9 server as domain member in a W2k3 ADS (native) 
environment.
The shares on the Samba server are used by XP clients and these clients get the 
shares via scripting while they logon on the ADS.
In the ADS domain there are several ADS servers (on remote locations, connected 
via routers) that have the same global catalog. This means that an XP client
that
logon on the ADS will get a response from the ?fastest? server on the network.
The
XP clients and the Samba domain member are on remote locations and connected 
to the ADS environment via routers too.

The smb.conf file that I use on the Samba domain members doesn?t contain the 
?password server? statement; this means that samba handles as follows about 
?password server? according to the man pages:
If the ?password server? option is set to the character '*' (is the same
as no password
server), then Samba will attempt to auto-locate the Primary or Backup Domain 
controllers to authenticate against by doing a query for the name 
?WORKGROUP<1C>? and then contacting each server returned in the list of IP
addresses from the name resolution source. This means that Samba uses the old 
NETBIOS name and this is not in our DNS and a broadcast is not allowed on our 
routers!

In the man page of samba also reside about ?password server? the following:
The advantage of using ?security = domain? is that if you list several hosts in
the
?password server? option then smbd will try each in turn till it finds one that
responds.
This is useful in case your primary server goes down.
Does this also work, when ?security = ADS??  I?d like that the samba domain
server
tries to contact each password server in the list till it finds one that
responds.

Can you tell me what is preferable? I use Samba 3.0.4 on RHL9 compiled with MIT 
1.3.1-7 kerberos and CUPS, Kerberos and winbind is used for authentication
against
the ADS server.

Here is my smb.conf file (only the global section):

[global]
	workgroup = XXXX
	realm = XXXX.COM
	server string = %h server (Samba %v)
	security = ADS
	passwd program = /usr/bin/passwd %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
*passwd:*all*authentication*tokens*updated*successfully*
	unix password sync = Yes
	log file = /var/log/samba/%m.log
	max log size = 0
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
	add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M 
%u
	domain master = No
	dns proxy = No
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template homedir = /data/hom/%U
	template shell = /bin/bash
	printer admin = root, '@XXXX.COM\Domain Admins', 
@XXXX.COM\DEP_ADMIN_GERMANY
	oplocks = No
	level2 oplocks = No



Regards,
Alex.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex de Vaal wrote:

| In the man page of samba also reside about password server
| the following: The advantage of using security = domain
| is that if you list several hosts in the password server
| option then smbd will try each in turn till it finds one
| that responds.  This is useful in case your primary
| server goes down. Does this also work, when security = ADS
| ?  Id like that the samba domain server
| tries to contact each password server in the list
| till it finds one that responds.

When 'security = ads', Samba uses the password server
for any NTLM authentication as well as ldap queries.
Krb5 ticket verification is handled by the krb5 libs
(outside of Samba).






cheers, jerry
- ----------------------------------------------------------------------
Hewlett-Packard            ------------------------- http://www.hp.com
SAMBA Team                 ---------------------- http://www.samba.org
GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
"...a hundred billion castaways looking for a home." ----------- Sting
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFAxwoIIR7qMdg1EfYRAvkDAKDYQO/mAu95G9PiCeJD3tgTb1dO+wCWMrAX
/nEyM0szfBeuTK/iEoOCRQ==WipS
-----END PGP SIGNATURE-----

On 9 Jun 2004 at 8:00, Gerald (Jerry) Carter wrote:
> | In the man page of samba also reside about  password server 
> | the following: The advantage of using  security = domain 
> | is that if you list several hosts in the  password server 
> | option then smbd will try each in turn till it finds one
> | that responds.  This is useful in case your primary
> | server goes down. Does this also work, when  security = ADS 
> | ?  I d like that the samba domain server
> | tries to contact each password server in the list
> | till it finds one that responds.
> 
> When 'security = ads', Samba uses the password server
> for any NTLM authentication as well as ldap queries.
> Krb5 ticket verification is handled by the krb5 libs
> (outside of Samba).
Right.

I'm using winbind (which is the Samba-3 NTLM authentication daemon) in my 
configuration, so in my case it is better to specify at "password
server" all the DNS
names of my ADS servers instead of leaving it blank?

I know that Krb5 ticket is handled by the krb5 libs. I have no krb5.conf
specified, so it
uses the DNS for resolving the KDC servers (the ADS servers create SRV records
in
DNS for each KDC in the realm)

In my case "password server=" is not specified in smb.conf. I see
however
sometimes strange things in winbindd.log on a remote Samba domain member 
server that it can't find sometimes the LDAP server, port 445 and port 139,
because
the connection to the ADS server is sometimes very slow (is a router
connection).
I was wondering if it is better to specify all the ADS servers in the realm at
"password
server=", so it is looking for the other servers in the realm if the
connection to an
ADS server is slow.


Winbindd.log
=========
[2004/06/08 19:28:41, 1] libads/ldap.c:ads_connect(222)
  Failed to get ldap server info
[2004/06/08 19:28:50, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:445
[2004/06/08 19:29:07, 1] libsmb/cliconnect.c:cli_start_connection(1388)
  session request to NHADM01 failed (Call timed out: server did not respond
after
10000 milliseconds)
[2004/06/08 19:29:15, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:139
[2004/06/08 19:29:15, 1] libsmb/cliconnect.c:cli_connect(1297)
  Error connecting to 10.2.20.240 (Operation already in progress)
[2004/06/08 19:29:15, 1] libsmb/cliconnect.c:cli_start_connection(1377)
  cli_full_connection: failed to connect to *SMBSERVER<20> (10.2.20.240)
[2004/06/08 19:29:34, 1] libsmb/cliconnect.c:cli_start_connection(1408)
  failed negprot
[2004/06/08 19:29:43, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:445
[2004/06/08 19:29:52, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:139
[2004/06/08 19:29:52, 1] libsmb/cliconnect.c:cli_connect(1297)
  Error connecting to 10.2.20.240 (Operation already in progress)
[2004/06/08 19:29:52, 1] libsmb/cliconnect.c:cli_start_connection(1377)
  cli_full_connection: failed to connect to NHADM01<20> (10.2.20.240)
[2004/06/08 19:30:02, 0] rpc_client/cli_pipe.c:rpc_api_pipe(424)
  cli_pipe: return critical error. Error was Call timed out: server did not
respond after
10000 milliseconds
[2004/06/08 19:30:35, 1] libads/ldap.c:ads_connect(222)
  Failed to get ldap server info
[2004/06/08 19:30:39, 1] nsswitch/winbindd_user.c:winbindd_getpwuid(246)
  could not lookup sid S-1-5-21-1130960580-3026470530-2041411792-1380
[2004/06/08 19:30:39, 1] nsswitch/winbindd_user.c:winbindd_getpwuid(246)
  could not lookup sid S-1-5-21-1130960580-3026470530-2041411792-1380
[2004/06/08 19:30:59, 1] libads/ldap.c:ads_connect(222)
  Failed to get ldap server info
[2004/06/08 19:31:11, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:445

and somewhat later.....

[2004/06/08 20:45:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 20:46:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 20:46:28, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 20:55:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:05:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:15:53, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:16:28, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:25:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist

which is normal... (in 3.0.4) ;-)

Regards,
Alex.