samba - Jan 2006 - Multiple 2003 Servers

Hi,

I am busy trying to get another 2003 server setup and working so that we
have backup servers when authenticating to AD. I believe the way we have to
do it is to not specify a server when joining the domain, but rather just
connect to the domain. Here is what I did.

I installed a standard 2003 server, and then installed a second one, making
it another controller in the domain. So that seems fine, and I can join each
one separately if I specify the server to connect to. On a side note, I
couldn't join the domain from my machines without using Kerberos for some
reason, I don't even remember telling the AD domain that Kerberos must be
used. Anyway, if I then remove the server name to connect to, I can then
(about 80%) of the time, join a server. Here is the confusing part though,
when I join the domain, it picks a random controller and joins to that one,
no specific one. What I need to be able todo is to join one of them, and
when that one fails, move over to another one. I have a suspicion that I
would need to re-issue the Kerberos ticket when moving servers, since I
assume they would have different tickets. Just to jump back to my 2003
configuration, the first domain controller I installed was a default install
using the 2003 mode (not 2000 native), with no other configuration changes.
Below is how I connect to the domain etc.

This is my Kerberos file
[root@server] ~ # cat /etc/krb5.conf 
[logging]
        default = FILE:/var/log/krb5lib.log

[libdefaults]
        default_realm = DEADMIND.LOCAL

[realms]
        DEADMIND.LOCAL = {
          kdc = deadmind.deadmind.local
          default_domain = deadmind.local
        }

[domain realm]
         .deadmind.local = DEADMIND.LOCAL
        deadmind.local = DEADMIND.LOCAL
[root@server] ~ #

This is my smb.conf file:
[root@server] ~ # cat /usr/local/etc/smb.conf
[global]
winbind separator=+
winbind cache time=10
workgroup=MASTERMIND
realm=deadmind.local
security=ads
winbind uid=10000-20000
winbind gid=10000-20000
winbind use default domain=yes
client ntlmv2 auth=yes
[root@server] ~ #

This is how I join etc:
[root@server] ~ # net ads join -w MASTERMIND -U Administrator%passwordhere
[2006/01/31 07:54:50, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for server already exists - modifying
old account
Using short domain name -- MASTERMIND
Joined 'SERVER' to realm 'DEADMIND.LOCAL'
[root@server] ~ #

I then run winbindd and nmbd, and I can lookup users using wbinfo -u etc.
Once that is working and I unplug the one im connected to (which I don't
want to have to guess which one it is), I then cant lookup users and it
doesn't switch to the other server.

Am I doing something wrong?

Thanks,
Ian

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian Barnes wrote:
> Here is the confusing part though, when I join the domain, it
> picks a random controller and joins to that one, no specific
> one. What I need to be able todo is to join one of them, and
> when that one fails, move over to another one. 
I have it on my plate to implement server affinity this week.
Will be in the 3.0.22 release.  I can try to send you a patch
when I'm done.





cheers, jerry
====================================================================I live in a
Reply-to-All world                -----------------------
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD32/7IR7qMdg1EfYRAp2tAKCL0bGlSgfkAMbJt9N07jbqZ/08sgCeMePo
BRt9AQQBbRIlpTpRfglEmFA=5ZR2
-----END PGP SIGNATURE-----

Gerald (Jerry) Carter wrote:
> Ian Barnes wrote:
> 
>>Here is the confusing part though, when I join the domain, it
>>picks a random controller and joins to that one, no specific
>>one. What I need to be able todo is to join one of them, and
>>when that one fails, move over to another one. 
> 
> I have it on my plate to implement server affinity this week.
> Will be in the 3.0.22 release.  I can try to send you a patch
> when I'm done.
Interesting. How exactly is this going to work? What configuration will be
needed?

OTOH, shouldn't it be the job of the *AD* servers to properly set up the DNS
SRV records to assign priorities/weight? Or is it that Samba3 doesn't honour
them correctly?


-TL
______________________________________________________________
Verschicken Sie romantische, coole und witzige Bilder per SMS!
Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193