Alex de Vaal
2004-Dec-13 16:59 UTC
[Samba] Samba as W2k3 AD domain member; how to configure domain controller failover?
Dear list, I have a question how you configure Samba (configured as a W2k3 domain member) to failover to a secondary AD domain controller when the connection to the primary domain controller fails. First some info: - Windows 2003 Active directory (native mode), currently running with 2 domain controllers. - Samba (version 3.0.9) running on a RHL9 server (updated with kerberos 1.3.1-7), samba is compiled against kerberos 1.3.1-7 and configured as AD domain member. The winbind daemon is used for AD user validation. - IP addresses W2k3 domain controllers: 192.168.100.100 (adm01= domain master) and 192.168.100.101 (adm02) - IP address RHL9 server: 192.168.100.151 - DNS is properly configured on RHL9 server and W2k3 servers. My smb.conf file looks like this: [global] workgroup = TEST realm = TEST.COM security = ADS password server = 192.168.100.100, 192.168.100.101 domain master = No dns proxy = No idmap uid = 10000-20000 idmap gid = 10000-20000 template homedir = /data/hom/%U template shell = /bin/bash [grp] comment = Group Directory path = /data/grp valid users = @TEST.COM\DEP_TEST_MEMBER read only = No inherit permissions = Yes resolv.conf looks like this: nameserver 192.168.100.100 nameserver 192.168.100.101 search test.com domain test.com nsswitch.conf looks like this: passwd: files winbind shadow: files group: files winbind hosts: files dns wins "wbinfo -g" and "getent group" give the appropriate output. Via the chown command I was able to give the AD group DEP_TEST_MEMBER access to the /data/grp directory on the linux server (chmod 770 and chown "root:TEST\ DEP_TEST_MEMBER" XP clients can connect to the [grp] share on the samba server when they are member of the AD group DEP_TEST_MEMBER and can store files on the share. So far so good. If I look with "netstat -na" I can see that the Samba server is connected to the primary domain controller: tcp 0 0 192.168.100.151:33837 192.168.100.100:389 ESTABLISHED tcp 0 0 192.168.100.151:33843 192.168.100.100:445 ESTABLISHED When the connection with the primary domain controller (192.168.100.100) is suddenly lost, then samba will NOT failover to the second domain controller (192.168.100.101). It is just trying to connect to the first configured one all the time. "net ads info" will do a request at the second DC (after a timeout of 15 sec, which I can configure to 2 seconds with "ldap timeout =2"). "wbinfo -u" will give after a short while the error message: "Error looking up domain users" and I have difficulty to connect to the Linux server with Telnet (it tries the user that logonwith Telnet, even the root user, to validate against the AD). The XP clients will loose the connection to the [grp] share after a short while. This will become a "status quo", nothing changes. The only thing I can do is manually failover to get Samba working properly again. I changed the global option "password server" to "password server 192.168.100.101, 192.168.100.100", rebooted the Linux server and now the Samba server connected to the second DC: netstat -na =======tcp 0 0 192.168.100.151:33998 192.168.100.101:389 ESTABLISHED tcp 0 0 192.168.100.151:34004 192.168.100.101:445 ESTABLISHED "wbinfo -g" and "getent group" give the appropriate output and the XP client can connect to the [grp] share again. How can I configure Samba to failover to the second DC, so even XP clients with connection to Samba shares won't even notice it when the connection to the primary DC gets lost? I googled for h o u r s for this answer and I found that someone used "net ads join -S" option and used the "join" option on all DC's in the AD. (look at http://lists.samba.org/archive/samba/2004-October/093721.html). I tried that too, but it didn't help. This problem is bugging me for quite a while now (also in my real environment), so it became a very important question for me (but the solution is more important ;-), therefore any help is very much appreciated! Regards, Alex.
Maybe Matching Threads
Wisdom of the Ancients
