Jeremy Allison
2022-Apr-25 19:30 UTC
[Samba] Winbind authentication issues when single Domain Controller down
On Mon, Apr 25, 2022 at 02:17:33PM -0500, Richard Anderson wrote:>Samba: Version 4.13.17-Ubuntu >Winbindd: Version 4.13.17-Ubuntu > >I would expect Samba to handle it fine, also. I wonder if there is >something in our config that is preventing it from working properly. Would >"dns proxy = no" do that? I started exploring that as a possible item to >test outside of business hours. > >I included my smb.conf and nsswitch.conf as an attachment in the original >post. I am including inline here just in case.I think removing the "password server" line and letting winbindd look up the DC's itself might be the better thing to do. Either way, once the list of IP addresses is retrieved, we use a function cldap_multi_netlogon() to send a CLDAP ping to all addresses in the list. From the comment for cldap_multi_netlogon(): /* * Do a parallel cldap ping to the servers. The first "min_servers" * are fired directly, the remaining ones in 100msec intervals. If * "min_servers" responses came in successfully, we immediately reply, * not waiting for the remaining ones. */
Richard Anderson
2022-Apr-26 13:27 UTC
[Samba] Winbind authentication issues when single Domain Controller down
That doesn't appear to be what is occurring. We had the server configured without the "password server" line initially. Adding it in the configuration (along with "winbind offline logon" and "winbind cache time") was an attempt to see if it made a difference. After removing those lines, checking wbinfo -P for the domain controller used, shutting down that domain controller, and running wbinfo -P again, results in a long delay of two minutes before canceling the test and starting the domain controller. I tested the same process with 'dns proxy = yes' with the same results. We have our domain controllers on a separate subnet and DNS is relayed via our firewall. However, the tests I ran against the domain (using nslookup) appeared ok. Are there any other tests or settings I can try? Rich *Sr. Systems Engineer* On Mon, Apr 25, 2022 at 2:30 PM Jeremy Allison <jra at samba.org> wrote:> On Mon, Apr 25, 2022 at 02:17:33PM -0500, Richard Anderson wrote: > >Samba: Version 4.13.17-Ubuntu > >Winbindd: Version 4.13.17-Ubuntu > > > >I would expect Samba to handle it fine, also. I wonder if there is > >something in our config that is preventing it from working properly. Would > >"dns proxy = no" do that? I started exploring that as a possible item to > >test outside of business hours. > > > >I included my smb.conf and nsswitch.conf as an attachment in the original > >post. I am including inline here just in case. > > I think removing the "password server" line and letting > winbindd look up the DC's itself might be the better > thing to do. > > Either way, once the list of IP addresses is retrieved, > we use a function cldap_multi_netlogon() to send a CLDAP > ping to all addresses in the list. From the comment for > cldap_multi_netlogon(): > > /* > * Do a parallel cldap ping to the servers. The first "min_servers" > * are fired directly, the remaining ones in 100msec intervals. If > * "min_servers" responses came in successfully, we immediately reply, > * not waiting for the remaining ones. > */ > >