On 01/10/14 11:56, Jonathan Gazeley wrote:> Hi chaps,
>
> I've been using Winbind for several years to authenticate 802.1x
> wireless users against Active Directory via FreeRADIUS. The solution
> we've been using until now has been adequate but I've noticed some
> problematic behaviour. We're running all stock packages from CentOS 6
> repos. Current version of winbind is 3.6.9. Unfortunately the Windows
> DCs are managed by a different team and we don't have access to their
> settings or logs.
>
> We locate domain controllers using a DNS round-robin on ads.bris.ac.uk
> which returns about 10 DCs. I've noticed that quite often, our three
> RADIUS servers all latch onto the same DC and cause loading problems.
>
> In my smb.conf I've set "password server" to the DNS name of
> individual DCs but this parameter seems to be ignored. Even after
> restarting winbind or rebooting, the system always goes back to the
> same DC.
>
> I've also tried explicitly setting the names of individual DCs in
> krb5.conf and this does not help the situation.
>
> Can someone with winbind experience please explain what is going on,
> and how I can force my RADIUS servers to latch onto specific DCs for
> their authentications, so I can ensure that they don't all pile onto
> the same DC and overload it.
>
> Thanks,
> Jonathan
Bit of information from further testing - I was able to make winbind
stop using the first DC by temporarily adding an iptables rule that
dropped all outbound traffic to the first DC. Then, when restarting
winbind, it picked a different DC. Surely there's a better way than this?
Thanks,
Jonathan