samba - Jun 2017 - question on password server =

On Thu, 15 Jun 2017 10:14:45 +0200
mj via samba <samba at lists.samba.org> wrote:
> Nobody knows..?
> 
> Or my question is unclear..?
> 
OK, whilst it is recomended to use 'password server = *' you can use a
list of servers instead. I personally do not see the point of setting
it as you are proposing, surely it is just the same as using '*' ?

I am also struggling to understand how different Samba DCs can have the
same hostname, I can understand a DC having multiple interfaces and
therefore multiple IPs. Of course this could be down to sanitising the
output, but if this is the case, try and do this in a way that
identifies individual machines:

You posted:
> root at pf:~# host -t A samba4.company.com
> samba.merit.unu.edu has address 192.168.0.1
> samba.merit.unu.edu has address 192.168.0.2
> samba.merit.unu.edu has address 192.168.0.3
> root at pf~# host -t A  samba4.company.com
> samba.merit.unu.edu has address 192.168.0.2
> samba.merit.unu.edu has address 192.168.0.3
> samba.merit.unu.edu has address 192.168.0.1  
Perhaps it should have been:
> root at pf:~# host -t A samba4.company.com
> dc1.merit.unu.edu has address 192.168.0.1
> dc2.merit.unu.edu has address 192.168.0.2
> dc3.merit.unu.edu has address 192.168.0.3
> root at pf~# host -t A  samba4.company.com
> dc2.merit.unu.edu has address 192.168.0.2
> dc3.merit.unu.edu has address 192.168.0.3
> dc1.merit.unu.edu has address 192.168.0.1  
Also, I hope that the domain name 'samba4.domain.com' doesn't map to
'merit.uni.edu'

If my reading of this is wrong, then please explain yourself better.

If you really do want Samba to use a specific DC before all others, I
would do something like this:

password server = DC1, *

This way, it would try to use 'DC1' first and then, if this failed, it
would fall back to finding the nearest/best DC as normal.

Rowland

Hi Rowland,

On 06/15/2017 11:05 AM, Rowland Penny via samba wrote:
> OK, whilst it is recomended to use 'password server = *' you can
use a
> list of servers instead. I personally do not see the point of setting
> it as you are proposing, surely it is just the same as using '*' ?
I know. I am asking because we are using a product called packetfence 
that generates an smb.conf automatically, based on configuration 
provided in their web admin interface.

The config that packetfence generates includes the line
 > password server = samba4.domain.com

I asked them why that is, and if it's perhaps better to remove it, so 
their config will default to "password server = *"
(as I have on our servers)

Then they sent me an explanation why they feel it should be there.

That's when I decided to ask here about the exact way the "password 
server =" line works. (specifically in the case of some DCs being down)

I see now how I messed up sanitation... I will post again below, and 
DOUBLE check:

samba4.company.com is de AD DNS name, REALM.
>> root at pf:~# host -t A samba4.company.com
>> samba4.company.com has address 192.168.0.1
>> samba4.company.com has address 192.168.0.2
>> samba4.company.com has address 192.168.0.3
>> root at pf~# host -t A  samba4.company.com
>> samba4.company.com has address 192.168.0.2
>> samba4.company.com has address 192.168.0.3
>> samba4.company.com has address 192.168.0.1
That's my output, also showing the round robin dns in action. Your 
suggestion listed specific DCs. That's NOT what I get.

Our DCs are like:
 >> root at pf~# host -t A  d2.samba4.company.com
 >> dc2.samba4.company.com has address 192.168.0.2
and likewise for DC3 and DC1. Everything is working fine.
> Also, I hope that the domain name 'samba4.domain.com' doesn't
map to 'merit.uni.edu'
No it doesn't :-) Sanitation gone wrong sorry. Please forget I ever 
mentioned our external dns domain. :-)
> If my reading of this is wrong, then please explain yourself better.
I hope I did now...
> If you really do want Samba to use a specific DC before all others, I
> would do something like this:
No, what I would like, is for the packetfence samba configuration to be 
as robust as possible, because it will be doing 802.1x authentication 
for our wired windows workstations. (and we don't want that to fail...)

I am trying to understand how things would function with *their* 
smb.conf (containing "password server = samba4.company.com") while one
or two of our three DCs are offline.

And perhaps I should also simply tell them that you (as being "the samba 
team") would also recommend (like I did before) to remove the line 
altogether?

Problem is that while I can manually remove the line from their 
smb.conf, it will be regenerated on every config change. :-(

Hope things are clearer now..? Thanks for taking the time to reply!

MJ

Read below..  ;-) 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba
> Verzonden: donderdag 15 juni 2017 11:51
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] question on password server > 
> Hi Rowland,
> 
> On 06/15/2017 11:05 AM, Rowland Penny via samba wrote:
> > OK, whilst it is recomended to use 'password server = *' 
> you can use a
> > list of servers instead. I personally do not see the point 
> of setting
> > it as you are proposing, surely it is just the same as using
'*' ?
> I know. I am asking because we are using a product called packetfence 
> that generates an smb.conf automatically, based on configuration 
> provided in their web admin interface.
> 
> The config that packetfence generates includes the line
>  > password server = samba4.domain.com
> 
> I asked them why that is, and if it's perhaps better to remove it, so 
> their config will default to "password server = *"
> (as I have on our servers)
> 
> Then they sent me an explanation why they feel it should be there.
> 
> That's when I decided to ask here about the exact way the
"password
> server =" line works. (specifically in the case of some DCs 
> being down)
> 
> I see now how I messed up sanitation... I will post again below, and 
> DOUBLE check:
> 
> samba4.company.com is de AD DNS name, REALM.
> 
> >> root at pf:~# host -t A samba4.company.com
> >> samba4.company.com has address 192.168.0.1
> >> samba4.company.com has address 192.168.0.2
> >> samba4.company.com has address 192.168.0.3
> >> root at pf~# host -t A  samba4.company.com
> >> samba4.company.com has address 192.168.0.2
> >> samba4.company.com has address 192.168.0.3
> >> samba4.company.com has address 192.168.0.1
> That's my output, also showing the round robin dns in action. Your 
> suggestion listed specific DCs. That's NOT what I get.
Your output is 100% correct.. No worries..  ;-) 
My test same, i just can find the technet article on this just now. 
host -t A internal.domain.tld
internal.domain.tld has address 192.168.0.2
internal.domain.tld has address 192.168.0.1
(These to can change in order. )

Imo. The suggestion of packetfence.. 
Its not wrong to use : password server = internal.domain.tld
But it is not the same as   : password server = *

What we need here is, how does this exact work. ( from the password server
setting/function/code etc.. )

What i think, 
In case of password server = internal.domain.tld
PF resolves internal.domain.tld, and comes back with one of the 2 domain
controllers in this example.
And to my believe but this is more a developer question, so Rowland pay
attention..  ;-)
If the resolving is done by the "password server" setting, does it
check if the server is online.

In case of the setting : password server = *
To my believe a check is done if the server is online. 

But i just cant read this in the code, for me much to complex..  

And thats the question.. 


Greetz, 

Louis



> 
> Our DCs are like:
>  >> root at pf~# host -t A  d2.samba4.company.com
>  >> dc2.samba4.company.com has address 192.168.0.2
> and likewise for DC3 and DC1. Everything is working fine.
> 
> > Also, I hope that the domain name 'samba4.domain.com' 
> doesn't map to 'merit.uni.edu'
> No it doesn't :-) Sanitation gone wrong sorry. Please forget I ever 
> mentioned our external dns domain. :-)
> 
> > If my reading of this is wrong, then please explain yourself better.
> I hope I did now...
> 
> > If you really do want Samba to use a specific DC before all 
> others, I
> > would do something like this:
> No, what I would like, is for the packetfence samba 
> configuration to be 
> as robust as possible, because it will be doing 802.1x authentication 
> for our wired windows workstations. (and we don't want that 
> to fail...)
> 
> I am trying to understand how things would function with *their* 
> smb.conf (containing "password server = samba4.company.com") 
> while one 
> or two of our three DCs are offline.
> 
> And perhaps I should also simply tell them that you (as being 
> "the samba 
> team") would also recommend (like I did before) to remove the line 
> altogether?
> 
> Problem is that while I can manually remove the line from their 
> smb.conf, it will be regenerated on every config change. :-(
> 
> Hope things are clearer now..? Thanks for taking the time to reply!
> 
> MJ
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Thu, 15 Jun 2017 11:51:18 +0200
mj via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> On 06/15/2017 11:05 AM, Rowland Penny via samba wrote:
> > OK, whilst it is recomended to use 'password server = *' you
can
> > use a list of servers instead. I personally do not see the point of
> > setting it as you are proposing, surely it is just the same as
> > using '*' ?
> I know. I am asking because we are using a product called packetfence 
> that generates an smb.conf automatically, based on configuration 
> provided in their web admin interface.
I will take a look at packetfence.

OK, done a quick scan and found this in their Administration Guide:

When done with the Samba install, modify your /etc/hosts in order to
add the FQDN of your Active Directory servers. 

ER, why ?

Active directory relies on DNS, so you should never have to do that, if
DNS isn't working, AD isn't either.
 
> 
> The config that packetfence generates includes the line
>  > password server = samba4.domain.com
> 
> I asked them why that is, and if it's perhaps better to remove it, so 
> their config will default to "password server = *"
> (as I have on our servers)
> 
> Then they sent me an explanation why they feel it should be there.
Could you share this, offlist if needs be.
> 
> That's when I decided to ask here about the exact way the
"password
> server =" line works. (specifically in the case of some DCs being
> down)
> 
> I see now how I messed up sanitation... I will post again below, and 
> DOUBLE check:
> 
> samba4.company.com is de AD DNS name, REALM.
> 
> >> root at pf:~# host -t A samba4.company.com
> >> samba4.company.com has address 192.168.0.1
> >> samba4.company.com has address 192.168.0.2
> >> samba4.company.com has address 192.168.0.3
> >> root at pf~# host -t A  samba4.company.com
> >> samba4.company.com has address 192.168.0.2
> >> samba4.company.com has address 192.168.0.3
> >> samba4.company.com has address 192.168.0.1
> That's my output, also showing the round robin dns in action. Your 
> suggestion listed specific DCs. That's NOT what I get.
I can understand that now, it was the mis-match of domain names that
was confusing me.
> 
> Our DCs are like:
>  >> root at pf~# host -t A  d2.samba4.company.com
>  >> dc2.samba4.company.com has address 192.168.0.2
> and likewise for DC3 and DC1. Everything is working fine.
> 
> > Also, I hope that the domain name 'samba4.domain.com'
doesn't map
> > to 'merit.uni.edu'
> No it doesn't :-) Sanitation gone wrong sorry. Please forget I ever 
> mentioned our external dns domain. :-)
What external domain ? ;-)
> No, what I would like, is for the packetfence samba configuration to
> be as robust as possible, because it will be doing 802.1x
> authentication for our wired windows workstations. (and we don't want
> that to fail...)
> 
> I am trying to understand how things would function with *their* 
> smb.conf (containing "password server = samba4.company.com")
while
> one or two of our three DCs are offline.
> 
> And perhaps I should also simply tell them that you (as being "the
> samba team") would also recommend (like I did before) to remove the
> line altogether?
> 
> Problem is that while I can manually remove the line from their 
> smb.conf, it will be regenerated on every config change. :-(
> 
> Hope things are clearer now..? Thanks for taking the time to reply!
> 
> MJ
> 
Ah, so it is not a case of wanting to use a specific DC, but to ensure
you can find a DC.

Samba recommends that you use '*' (or to put it another way, don't
add
the line). The Samba code will dynamically find the best DC to use,
packetfence may be interfering with this by adding the line in the way
it does. 

As packetfence adds the line, it is probably doing it from a template
somewhere, so if you can find this template, you should be able to
remove this line, if you should so wish.

Rowland

On 06/15/2017 12:04 PM, L.P.H. van Belle via samba
wrote:
> What i think,
> In case of password server = internal.domain.tld
> PF resolves internal.domain.tld, and comes back with one of the 2 domain
controllers in this example.
Yes, that would be what I called option #2, in my original message. And 
in that case, when a DC is down, communication would fail (timeout) 1/3 
of the time, in the case of one out of three DCs down.

And (option #1 as I called it) would be: samba noticing the fact that 
internal.domain.tld resolves to *THREE* IPs, and always start talking to 
all three initially, and just wait to see which ones happen to reply, 
and which not.
	
I know the question is _very_ detailed and specific.... :-)

MJ

On Thu, 15 Jun 2017 12:04:54 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Imo. The suggestion of packetfence.. 
> Its not wrong to use : password server = internal.domain.tld
> But it is not the same as   : password server = *
No it is not the same, but it is the next best thing to it.
> 
> What we need here is, how does this exact work. ( from the password
> server setting/function/code etc.. ) 
> 
> What i think, 
> In case of password server = internal.domain.tld
> PF resolves internal.domain.tld, and comes back with one of the 2
> domain controllers in this example. And to my believe but this is
> more a developer question, so Rowland pay attention..  ;-) If the
> resolving is done by the "password server" setting, does it check
if
> the server is online. 
Not an expert here, but I would image that yes, this probably does
check if the DC is on line, but probably not in the way you think.

If you use 'password server = *', I would expect Samba to check for
DCs and then use the nearest/best one it finds. If you use 'password
server' in the way that packetfence suggests, you will get a list of
DCs and then Samba will use the first one on that list and if it doesn't
reply, it will try the next one and so until connects.

As I said, This is my understanding of how it works, if it is wrong,
I am sure someone like Andrew will jump in and explain it better.
 
Rowland

On Thu, 2017-06-15 at 11:51 +0200, mj via samba wrote:
> And perhaps I should also simply tell them that you (as being "the
samba
> team") would also recommend (like I did before) to remove the line 
> altogether?
Yes.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba