samba - Jun 2017 - question on password server =

Hi,

I would like to ask how exactly the "password server =" smb.conf
option
works. The man pages say that the option is to "restrict Samba to to do 
all its username/password validation using a specific remote server"

I know that we should normally leave it empty, to have samba 
auto-discover the DCs. But my question is:

Suppose it's defined it like:
 > password server = samba4.domain.com

and the dns samba4.domain.com resolves to our DCs, like:
> root at pf:~# host -t A samba4.company.com
> samba.merit.unu.edu has address 192.168.0.1
> samba.merit.unu.edu has address 192.168.0.2
> samba.merit.unu.edu has address 192.168.0.3
> root at pf~# host -t A  samba4.company.com
> samba.merit.unu.edu has address 192.168.0.2
> samba.merit.unu.edu has address 192.168.0.3
> samba.merit.unu.edu has address 192.168.0.1
But DCs can be offline. Hence the question below:

Which scenario applies:
#1: samba talks to all three IPs for all connection attempts, and just 
waits to see which DC happens to be online / offline?

or

#2: samba talks to 192.168.0.1 on the first connection, and 192.168.0.2 
for the next? (using the round-robin dns)
 From load balancing perspective, this second option spreads the load 
much nicer, but when a DC happens to be offline, 1/3 of the connection 
attempts would timeout...

Can anyone tell me how this works?

MJ

Nobody knows..?

Or my question is unclear..?

MJ

On 06/14/2017 09:59 AM, mj via samba wrote:
> Hi,
> 
> I would like to ask how exactly the "password server =" smb.conf
option
> works. The man pages say that the option is to "restrict Samba to to
do
> all its username/password validation using a specific remote server"
> 
> I know that we should normally leave it empty, to have samba 
> auto-discover the DCs. But my question is:
> 
> Suppose it's defined it like:
>  > password server = samba4.domain.com
> 
> and the dns samba4.domain.com resolves to our DCs, like:
> 
>> root at pf:~# host -t A samba4.company.com
>> samba.merit.unu.edu has address 192.168.0.1
>> samba.merit.unu.edu has address 192.168.0.2
>> samba.merit.unu.edu has address 192.168.0.3
>> root at pf~# host -t A  samba4.company.com
>> samba.merit.unu.edu has address 192.168.0.2
>> samba.merit.unu.edu has address 192.168.0.3
>> samba.merit.unu.edu has address 192.168.0.1
> 
> But DCs can be offline. Hence the question below:
> 
> Which scenario applies:
> #1: samba talks to all three IPs for all connection attempts, and just 
> waits to see which DC happens to be online / offline?
> 
> or
> 
> #2: samba talks to 192.168.0.1 on the first connection, and 192.168.0.2 
> for the next? (using the round-robin dns)
>  From load balancing perspective, this second option spreads the load 
> much nicer, but when a DC happens to be offline, 1/3 of the connection 
> attempts would timeout...
> 
> Can anyone tell me how this works?
> 
> MJ
>

On Thu, 15 Jun 2017 10:14:45 +0200
mj via samba <samba at lists.samba.org> wrote:
> Nobody knows..?
> 
> Or my question is unclear..?
> 
OK, whilst it is recomended to use 'password server = *' you can use a
list of servers instead. I personally do not see the point of setting
it as you are proposing, surely it is just the same as using '*' ?

I am also struggling to understand how different Samba DCs can have the
same hostname, I can understand a DC having multiple interfaces and
therefore multiple IPs. Of course this could be down to sanitising the
output, but if this is the case, try and do this in a way that
identifies individual machines:

You posted:
> root at pf:~# host -t A samba4.company.com
> samba.merit.unu.edu has address 192.168.0.1
> samba.merit.unu.edu has address 192.168.0.2
> samba.merit.unu.edu has address 192.168.0.3
> root at pf~# host -t A  samba4.company.com
> samba.merit.unu.edu has address 192.168.0.2
> samba.merit.unu.edu has address 192.168.0.3
> samba.merit.unu.edu has address 192.168.0.1  
Perhaps it should have been:
> root at pf:~# host -t A samba4.company.com
> dc1.merit.unu.edu has address 192.168.0.1
> dc2.merit.unu.edu has address 192.168.0.2
> dc3.merit.unu.edu has address 192.168.0.3
> root at pf~# host -t A  samba4.company.com
> dc2.merit.unu.edu has address 192.168.0.2
> dc3.merit.unu.edu has address 192.168.0.3
> dc1.merit.unu.edu has address 192.168.0.1  
Also, I hope that the domain name 'samba4.domain.com' doesn't map to
'merit.uni.edu'

If my reading of this is wrong, then please explain yourself better.

If you really do want Samba to use a specific DC before all others, I
would do something like this:

password server = DC1, *

This way, it would try to use 'DC1' first and then, if this failed, it
would fall back to finding the nearest/best DC as normal.

Rowland

Hai, 

Added some extra comment..  
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: donderdag 15 juni 2017 11:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] question on password server > 
> On Thu, 15 Jun 2017 10:14:45 +0200
> mj via samba <samba at lists.samba.org> wrote:
> 
> > Nobody knows..?
> > 
> > Or my question is unclear..?
> > 
> 
> OK, whilst it is recomended to use 'password server = *' you 
> can use a list of servers instead. I personally do not see 
> the point of setting it as you are proposing, surely it is 
> just the same as using '*' ?
> 
> I am also struggling to understand how different Samba DCs 
> can have the same hostname, I can understand a DC having 
> multiple interfaces and therefore multiple IPs. Of course 
> this could be down to sanitising the output, but if this is 
> the case, try and do this in a way that identifies individual 
> machines:
> 
> You posted:
> 
> > root at pf:~# host -t A samba4.company.com samba.merit.unu.edu has 
> > address 192.168.0.1 samba.merit.unu.edu has address 192.168.0.2 
> > samba.merit.unu.edu has address 192.168.0.3 root at pf~# host -t A  
> > samba4.company.com samba.merit.unu.edu has address 192.168.0.2 
> > samba.merit.unu.edu has address 192.168.0.3 samba.merit.unu.edu has 
> > address 192.168.0.1
> 
> Perhaps it should have been:
> 
> > root at pf:~# host -t A samba4.company.com dc1.merit.unu.edu 
> has address 
> > 192.168.0.1 dc2.merit.unu.edu has address 192.168.0.2 
> > dc3.merit.unu.edu has address 192.168.0.3 root at pf~# host -t A  
> > samba4.company.com dc2.merit.unu.edu has address 192.168.0.2 
> > dc3.merit.unu.edu has address 192.168.0.3 dc1.merit.unu.edu has 
> > address 192.168.0.1
What M-J wrote, is correct, he is quering the "internal.dnsdomain.tld"
Which resolve to ip, with PTR's to A, which is the DC hostname. 
If this did not work, then you can not power down you AD DC, and keep everything
running.

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Verifying_DNS
Imo, wiki should mention if you have multiple DC's run the A record test
also for the primary domain.
host -t A samdom.example.com.

> 
> Also, I hope that the domain name 'samba4.domain.com' doesn't 
> map to 'merit.uni.edu'
> 
> If my reading of this is wrong, then please explain yourself better.
> 
> If you really do want Samba to use a specific DC before all 
> others, I would do something like this:
> 
> password server = DC1, *
I think best is use : password server = * 
( so no changes in smb.conf and keep the default ) 
> 
> This way, it would try to use 'DC1' first and then, if this 
> failed, it would fall back to finding the nearest/best DC as normal.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
Greetz, 

Louis

On Thu, 2017-06-15 at 10:14 +0200, mj via samba wrote:
> Nobody knows..?
> 
> Or my question is unclear..?
> 
> MJ
Please just don't.  I know Samba is incredibly flexible in the options
it accepts, but every time someone tries to be extra tricky it sets up
a case for strange failure in the long term.  

Andrew Bartlett
> On 06/14/2017 09:59 AM, mj via samba wrote:
> > Hi,
> > 
> > I would like to ask how exactly the "password server ="
smb.conf option
> > works. The man pages say that the option is to "restrict Samba to
to do
> > all its username/password validation using a specific remote
server"
> > 
> > I know that we should normally leave it empty, to have samba 
> > auto-discover the DCs. But my question is:
> > 
> > Suppose it's defined it like:
> >  > password server = samba4.domain.com
> > 
> > and the dns samba4.domain.com resolves to our DCs, like:
> > 
> > > root at pf:~# host -t A samba4.company.com
> > > samba.merit.unu.edu has address 192.168.0.1
> > > samba.merit.unu.edu has address 192.168.0.2
> > > samba.merit.unu.edu has address 192.168.0.3
> > > root at pf~# host -t A  samba4.company.com
> > > samba.merit.unu.edu has address 192.168.0.2
> > > samba.merit.unu.edu has address 192.168.0.3
> > > samba.merit.unu.edu has address 192.168.0.1
> > 
> > But DCs can be offline. Hence the question below:
> > 
> > Which scenario applies:
> > #1: samba talks to all three IPs for all connection attempts, and just
> > waits to see which DC happens to be online / offline?
> > 
> > or
> > 
> > #2: samba talks to 192.168.0.1 on the first connection, and
192.168.0.2
> > for the next? (using the round-robin dns)
> >  From load balancing perspective, this second option spreads the load 
> > much nicer, but when a DC happens to be offline, 1/3 of the connection
> > attempts would timeout...
> > 
> > Can anyone tell me how this works?
> > 
> > MJ
> > 
> 
> 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba