samba - Apr 2022 - Winbind authentication issues when single Domain Controller down

On Mon, Apr 25, 2022 at 11:56:22AM -0500, Richard Anderson via samba
wrote:
>When one of our domain controllers is restarted or down, occasionally we
>will have a large number of errors on our Samba server. This appears to
>depend on whatever domain controller is being used by winbind.
>
>We found this out when several of our users reported they could not login
>to our Samba server. Logs indicated NT_STATUS_NO_LOGON_SERVERS. This was on
>a reboot of one of our domain controllers. Once the domain controller was
>back up we were able to login to the server.
>
>Does the 'password server' setting work? Is there another setting I
should
>consider?
>
>We use winbind for authentication. When the domain controller that is being
>used is down, wbinfo -P will take several minutes before failing and does
>not appear to switch to another server on the second or third attempt.
>
>*Tried (smb.conf)*
>
>   - winbind offline login = yes
>   - winbind cache time = 600
>   - password server = dc1.ourdomain.company_domain.com,
>   dc2.ourdomain.company_domain.com,dc3.ourdomain.company_domain.com
What Samba version ? Modern Samba code to find a DC will
ping DC's in parallel and pick the first one that responds.

Samba: Version 4.13.17-Ubuntu
Winbindd: Version 4.13.17-Ubuntu

I would expect Samba to handle it fine, also. I wonder if there is
something in our config that is preventing it from working properly. Would
"dns proxy = no" do that? I started exploring that as a possible item
to
test outside of business hours.

I included my smb.conf and nsswitch.conf as an attachment in the original
post. I am including inline here just in case.

#############
smb.conf
#############
[global]
workgroup = OURDOMAIN
server string = Linux Server %v
load printers = no

###########################
## Added as a test to prevent mbxmenu from breaking. This is a problem
where the Samba
## mounts could neither be accessed nor umounted (at least very quickly).
We suspected
## that the core issue was a locking or oplock problem but we were not able
to prove anything.
## The change here has not been confirmed with certainty that it has
prevented our issues described above.
min protocol = SMB2
deadtime = 10
##########################

server signing = mandatory
realm = OURDOMAIN.COMPANY_DOMAIN.COM
use sendfile = no
dns proxy = no
smb ports = 139 445
security = ADS
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
disable netbios = no
dos charset = ASCII
unix charset = UTF8
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
map hidden = no
map system = no
map archive = no
map readonly = no
store dos attributes = yes
ea support = yes
unix extensions = no

winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

## Cache and specify server if we lose/reboot one of the domain controllers
winbind offline logon = yes
winbind cache time = 600
password server = dc1.ourdomain.company_domain.com,
dc2.ourdomain.company_domain.com,dc3.ourdomain.company_domain.com

## Add winbind mapping for shell and home directory - part of replacing
mbx_sssd_ldap for img Forge servers
template shell = /bin/bash
template homedir = /home/%u

# Default idmap config used for BUILTIN and local accounts/groups
# https://wiki.samba.org/index.php/Idmap_config_ad
idmap config *:backend = tdb
idmap config *:range = 2000-9999

# idmap config for domain
idmap config OURDOMAIN:backend = ad
idmap config OURDOMAIN:schema_mode = rfc2307
idmap config OURDOMAIN:range = 10000-99999

# Use settings from AD for login shell and home directory
winbind nss info = rfc2307


##############
# nsswich.conf
##############

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat winbind
gshadow: files

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
sudoers: files

Rich

*Sr. Systems Engineer*



On Mon, Apr 25, 2022 at 1:42 PM Jeremy Allison <jra at samba.org> wrote:
> On Mon, Apr 25, 2022 at 11:56:22AM -0500, Richard Anderson via samba wrote:
> >When one of our domain controllers is restarted or down, occasionally
we
> >will have a large number of errors on our Samba server. This appears to
> >depend on whatever domain controller is being used by winbind.
> >
> >We found this out when several of our users reported they could not
login
> >to our Samba server. Logs indicated NT_STATUS_NO_LOGON_SERVERS. This
was
> on
> >a reboot of one of our domain controllers. Once the domain controller
was
> >back up we were able to login to the server.
> >
> >Does the 'password server' setting work? Is there another
setting I should
> >consider?
> >
> >We use winbind for authentication. When the domain controller that is
> being
> >used is down, wbinfo -P will take several minutes before failing and
does
> >not appear to switch to another server on the second or third attempt.
> >
> >*Tried (smb.conf)*
> >
> >   - winbind offline login = yes
> >   - winbind cache time = 600
> >   - password server = dc1.ourdomain.company_domain.com,
> >   dc2.ourdomain.company_domain.com,dc3.ourdomain.company_domain.com
>
> What Samba version ? Modern Samba code to find a DC will
> ping DC's in parallel and pick the first one that responds.
>