samba - Oct 2007 - Several AD domain servers

Hi,

It is possible to assing several AD domain servers on krb5.conf file?
The questions is if one of AD servers goes down, it is useful if samba can
get authentication through other AD server on domain.
Sorry if this question already answered previsously.

Domain Server: MS Windows 2003 SP2
Linux Box: SLES 10 SP1 (kernel 2.6.16)
Samba version: 3.0.24-2.28
Kerberos version: 1.4.3-19.25

Best regards,
Paulo Almeida

-- 
Escola Superior de Enfermagem do Porto
Rua Dr. Ant?nio Bernardino de Almeida
4200-072 Porto - Portugal
Tel: +351 22 5073500 - Fax: +351 22 5096337
http://portal.esenf.pt

Paulo Almeida wrote:
> Hi,
>
> It is possible to assing several AD domain servers on krb5.conf file?
> The questions is if one of AD servers goes down, it is useful if samba can
> get authentication through other AD server on domain.
> Sorry if this question already answered previsously.
>
> Domain Server: MS Windows 2003 SP2
> Linux Box: SLES 10 SP1 (kernel 2.6.16)
> Samba version: 3.0.24-2.28
> Kerberos version: 1.4.3-19.25
>
> Best regards,
> Paulo Almeida
>
>   
Paulo,

set the entries in the [libdefaults] section like this.

default_realm = <FQDN of domain>
dns_lookup_kdc=true
dns_lookup_realm=true

then add records to your DNS of the following form.

_kerberos.<zone> in txt <FQDN of domain>

The FQDN of the domain is the AD domain name e.g. domain.example.com. 
The zone is the local zone for the workstation/server running linux e.g. 
linuz.example.com.

The kerberos lookups will then get a list of kdc's from the domain 
servers (so long as they can find the zone data for the domain) by 
looking up the srv records for the kdc (and falling back to the A record 
lookup for the domain name). And will tie the local workstation to the 
domain via the TXT record.

If you have multiple zones in which your workstations/servers are 
installed you can also add the following to the domain_realm section of 
the krb5.conf file

<zone> = <FQDN of domain>
.<zone> = <FQDN of domain>

for each zone in your network(s). Note you should always do this for at 
least the zone that the local machine is within.

This will allow the machines to failover if the AD controller they try 
to contact is down. Be warned however that there is a large window when 
controllers are shutting down or starting up where they offer KDC 
services (i.e. respond to messages) but do not provide those services. 
This can result in logins timing out or being rejected because the KDC 
has started but the AD LDAP environment is not fully up etc. So this 
will cope with hard failures and machines being switched off but not 
with machines currently failing,shutting down or starting up.

If you are using Samba as the authentication route via pam_winbind you 
might also need to add the line

password server = <FQDN of domain>

into smb.conf to get this to work

Regards Howard.


-- 

Howard Wilkinson

	

Phone:

	

+44(20)76907075

Coherent Technology Limited

	

Fax:

	

 

23 Northampton Square,

	

Mobile:

	

+44(7980)639379

United Kingdom, EC1V 0HL

	

Email:

	

howard@cohtech.com