I have control only over the Winbind client, not over the AD server... so I need to ask, is "sites" something set up on the AD side?... and since you suggest that DNS impacts this, are you saying that the "sites" parameter is encoded in the DNS values?... Do i need to ensure that the host is querying an AD DNS directly, or will it still work if the DNS is relayed via another local DNS server? James On 18/05/2019 09:04, Stefan Kania via samba wrote:> If you use bind9 as DNS the client will get the list via round-robin and > will take the first IP from the list, BUT if you set up sites then the > client will take one from it's site. > > Am 16.05.19 um 16:21 schrieb A. James Lewis via samba: >> Hi all, >> >> A slightly hypothetical one here... but after Samba (Winbind actually)... looks up the list of AD server for a doman from DNS... what method does it use to decide which is the correct (most local?) domain controller to connect to/log in to? >> >> What will it's behaviour be if it connects to one, or two which don't have connectivity. >> >> -- >> A. James Lewis (james at fsck.co.uk (mailto:james at fsck.co.uk)) >> "Engineering does not require science. Science helps a lot but people >> built perfectly good brick walls long before they knew why cement works." >
On 18/05/2019 16:35, A. James Lewis via samba wrote:> I have control only over the Winbind client, not over the AD server... > so I need to ask, is "sites" something set up on the AD side?... and > since you suggest that DNS impacts this, are you saying that the > "sites" parameter is encoded in the DNS values?... Do i need to ensure > that the host is querying an AD DNS directly, or will it still work if > the DNS is relayed via another local DNS server? >If you are going to use 'sites', you are going to need control over the AD DC to create a new site :-( Basically a site would contain one DC (at least) and various clients, these clients would use the DC in the site for authentication etc, unless the DC goes down, at which point the clients would use any DC in the domain. Sites are usually used for locations that are in separate places, this can be different buildings or countries. Domain clients use dns to locate DC's and will try to use the most relevant one, but this may not be the one you want it to use. By default, all domain members & DC's are in the same 'site', so a client can & will use any DC it finds. Sounds like you need to talk to your Windows sysadmin, they will know and understand the above, if they don't, then it is time for a new Windows sysadmin ;-) Rowland
I'm sure the Windows admins have set up the "Sites" as required... but when trying to resolve issues with logon, the Windows admins are assuming that Samba doesn't support "sites" and blaming that for the issue... so, I'm hoping someone will tell me how the client determines the correct site, and the AD controllers in that site, and ultimately if Samba/Winbind should support it. Obviously also anything we might be doing which would cause it not to work. James On 18/05/2019 17:03, Rowland penny via samba wrote:> On 18/05/2019 16:35, A. James Lewis via samba wrote: >> I have control only over the Winbind client, not over the AD >> server... so I need to ask, is "sites" something set up on the AD >> side?... and since you suggest that DNS impacts this, are you saying >> that the "sites" parameter is encoded in the DNS values?... Do i need >> to ensure that the host is querying an AD DNS directly, or will it >> still work if the DNS is relayed via another local DNS server? >> > If you are going to use 'sites', you are going to need control over > the AD DC to create a new site :-( > > Basically a site would contain one DC (at least) and various clients, > these clients would use the DC in the site for authentication etc, > unless the DC goes down, at which point the clients would use any DC > in the domain. Sites are usually used for locations that are in > separate places, this can be different buildings or countries. > > Domain clients use dns to locate DC's and will try to use the most > relevant one, but this may not be the one you want it to use. By > default, all domain members & DC's are in the same 'site', so a client > can & will use any DC it finds. > > Sounds like you need to talk to your Windows sysadmin, they will know > and understand the above, if they don't, then it is time for a new > Windows sysadmin ;-) > > Rowland > >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190518/ecd7a753/signature.sig>