Richard Anderson
2022-Apr-25 16:56 UTC
[Samba] Winbind authentication issues when single Domain Controller down
When one of our domain controllers is restarted or down, occasionally we will have a large number of errors on our Samba server. This appears to depend on whatever domain controller is being used by winbind. We found this out when several of our users reported they could not login to our Samba server. Logs indicated NT_STATUS_NO_LOGON_SERVERS. This was on a reboot of one of our domain controllers. Once the domain controller was back up we were able to login to the server. Does the 'password server' setting work? Is there another setting I should consider? We use winbind for authentication. When the domain controller that is being used is down, wbinfo -P will take several minutes before failing and does not appear to switch to another server on the second or third attempt. *Tried (smb.conf)* - winbind offline login = yes - winbind cache time = 600 - password server = dc1.ourdomain.company_domain.com, dc2.ourdomain.company_domain.com,dc3.ourdomain.company_domain.com *Diagnostics* nslookup:> set type=SRV > _ldap._tcp.ourdomain.company_domain.comServer: 172.16.0.1 Address: 172.16.0.1#53 _ldap._tcp.ourdomain.company_domain.com service = 0 100 389 dc1.ourdomain. company_domain.com. _ldap._tcp.ourdomain.company_domain.com service = 0 100 389 dc2.ourdomain. company_domain.com. _ldap._tcp.ourdomain.company_domain.com service = 0 100 389 dc3.ourdomain. company_domain.com. Rich *Sr. Systems Engineer*
Jeremy Allison
2022-Apr-25 18:42 UTC
[Samba] Winbind authentication issues when single Domain Controller down
On Mon, Apr 25, 2022 at 11:56:22AM -0500, Richard Anderson via samba wrote:>When one of our domain controllers is restarted or down, occasionally we >will have a large number of errors on our Samba server. This appears to >depend on whatever domain controller is being used by winbind. > >We found this out when several of our users reported they could not login >to our Samba server. Logs indicated NT_STATUS_NO_LOGON_SERVERS. This was on >a reboot of one of our domain controllers. Once the domain controller was >back up we were able to login to the server. > >Does the 'password server' setting work? Is there another setting I should >consider? > >We use winbind for authentication. When the domain controller that is being >used is down, wbinfo -P will take several minutes before failing and does >not appear to switch to another server on the second or third attempt. > >*Tried (smb.conf)* > > - winbind offline login = yes > - winbind cache time = 600 > - password server = dc1.ourdomain.company_domain.com, > dc2.ourdomain.company_domain.com,dc3.ourdomain.company_domain.comWhat Samba version ? Modern Samba code to find a DC will ping DC's in parallel and pick the first one that responds.