samba - Feb 2009 - Resilience inquiry: What happens to samba clients if a domain controller fails?

Hello folks,

I have been asked about the resilience of samba clients when faced with
a domain controller failure. My client's environment has multiple
Windows Domain Controllers (we'll call them dc1 - dc9).

Assuming that domain replication operates as expected (and does, from
Windows workstation point of view), what should I expect if (when) the
domain controller that initiated a kerberos ticket or provided active
directory authentication fails? I have not been able to test this
properly, as my dev domain is too disimilar to my production domain...


Support Information:
- My UNIX environment is running kerberos 5.

- Kerberos5 configuration information:
   kdc.conf has my domain listed in realms
   krb5.conf has my domain listed in realms like this:
   [realms]
           DOMAINNAME.CA = {
                   kdc = dc1.domainname.ca
                   admin_server = dc1.domainname.ca
                   default_domain = DOMAINNAME.CA
           }

- Samba 3.0.33 configuration information:
   [global]
   security          = ads
   realm             = DOMAINNAME.CA
   workgroup         = DOMAINNAME
   encrypt passwords = yes
   server string     = %h Samba %v

   smb ports          = 445
   disable netbios    = yes
   name resolve order = hosts

- Hosts were joined to the domain using:
   net ADS join -U administrator
   administrator's password:
   Using short domain name -- DOMAINNAME
   Joined 'HOST' to realm 'DOMAINNAME.CA'
   host|/#

- DNS information
   root@oradbp1# nslookup domainname.ca
   Server:  dc2.domainname.ca
   Address:  1.1.1.2

   Name:    domainname.ca
   Addresses:  1.1.1.1, 1.1.1.2, 1.1.1.3, 1.1.1.4
             10.10.10.10, 10.10.10.11, 10.10.10.12, 100.100.100.100,
100.100.100.101
** IP addresses changed for ambiguity


- Avron