samba - Jan 2007 - can samba figure out the "closest" domain controller in ADS mode?

I'v got working Samba ADS servers, but "net ads info" shows most
of them
are associated with Win2K3 domain controllers that are in different
sites than the ones the Samba servers are in (we have a large WAN with
DCs in every site). I'm not configuring "password server" as I
want
Samba to be more fault tolerant than pointing it at one DC - when there
are many to choose from. It looks like Samba is just doing a DNS lookup
on the realm name and binding to the top DC in the list?

Active Directory does allow you to define sites and Windows boxes figure
out where their closest DC is from that information - but it looks like
Samba can not? Is that correct, or is there something else I can do?
Resolving usernames/groups is pretty dire due to this - a Samba server
in Sweden is currently  using a DC in Beijing for example.


This is Samba-3.0.23d under CentOS4.4

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

On Sat, Jan 06, 2007 at 08:01:49PM +1300, Jason Haar
wrote:
> I'v got working Samba ADS servers, but "net ads info" shows
most of them
> are associated with Win2K3 domain controllers that are in different
> sites than the ones the Samba servers are in (we have a large WAN with
> DCs in every site). I'm not configuring "password server" as
I want
> Samba to be more fault tolerant than pointing it at one DC - when there
> are many to choose from. It looks like Samba is just doing a DNS lookup
> on the realm name and binding to the top DC in the list?
> 
> Active Directory does allow you to define sites and Windows boxes figure
> out where their closest DC is from that information - but it looks like
> Samba can not? Is that correct, or is there something else I can do?
> Resolving usernames/groups is pretty dire due to this - a Samba server
> in Sweden is currently  using a DC in Beijing for example.
> 
> 
> This is Samba-3.0.23d under CentOS4.4
Site support is one of the new winbindd features added
for 3.0.24. Guenther and I are working on one last bug
we know about - we expect to have that fixed next week.

Site support does affect the krb5.conf though - the solution
we adopted for SuSE 10.x was to actually move the user
specified krb5.conf out of the way and re-write it with
a link to a winbindd created krb5.conf. Works well for
desktops but not for servers. I think the new version of
MIT krb5 has a Guenther patch that allows site lookups
from the krb5 libs.

Anyway, if you want you can compile in the "overwrite
krb5.conf" code in 3.0.24. If you want to test this
we'd appreciate it very much !

Jeremy.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jason Haar wrote:
> Active Directory does allow you to define sites and 
> Windows boxes figure out where their closest DC is from
> that information - but it looks like Samba can not?
The upcoming 3.0.24 has site support.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFn/9EIR7qMdg1EfYRAslpAKC1zek8jt+1tZOljYd5ltxFDHkuhgCgwnaZ
n4mkE84T1G1CvEuRgxhjvuM=nbbR
-----END PGP SIGNATURE-----