I'm sure the Windows admins have set up the "Sites" as required... but when trying to resolve issues with logon, the Windows admins are assuming that Samba doesn't support "sites" and blaming that for the issue... so, I'm hoping someone will tell me how the client determines the correct site, and the AD controllers in that site, and ultimately if Samba/Winbind should support it. Obviously also anything we might be doing which would cause it not to work. James On 18/05/2019 17:03, Rowland penny via samba wrote:> On 18/05/2019 16:35, A. James Lewis via samba wrote: >> I have control only over the Winbind client, not over the AD >> server... so I need to ask, is "sites" something set up on the AD >> side?... and since you suggest that DNS impacts this, are you saying >> that the "sites" parameter is encoded in the DNS values?... Do i need >> to ensure that the host is querying an AD DNS directly, or will it >> still work if the DNS is relayed via another local DNS server? >> > If you are going to use 'sites', you are going to need control over > the AD DC to create a new site :-( > > Basically a site would contain one DC (at least) and various clients, > these clients would use the DC in the site for authentication etc, > unless the DC goes down, at which point the clients would use any DC > in the domain. Sites are usually used for locations that are in > separate places, this can be different buildings or countries. > > Domain clients use dns to locate DC's and will try to use the most > relevant one, but this may not be the one you want it to use. By > default, all domain members & DC's are in the same 'site', so a client > can & will use any DC it finds. > > Sounds like you need to talk to your Windows sysadmin, they will know > and understand the above, if they don't, then it is time for a new > Windows sysadmin ;-) > > Rowland > >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190518/ecd7a753/signature.sig>
On 18/05/2019 22:43, A. James Lewis via samba wrote:> I'm sure the Windows admins have set up the "Sites" as required... but > when trying to resolve issues with logon, the Windows admins are > assuming that Samba doesn't support "sites" and blaming that for the > issue... so, I'm hoping someone will tell me how the client determines > the correct site, and the AD controllers in that site, and ultimately if > Samba/Winbind should support it. Obviously also anything we might be > doing which would cause it not to work. >Unless you have asked them to set up sites, all your domain computers will be in the 'Default-First-Site-Name' site. A 'site' will need to be created and then all your computers moved into this site. Samba does support sites and it works the same way as on Windows, so just tell your Windows sysadmins to forget the Linux bit and set AD as if they were all Windows computers. Depending on what version your Windows DC's are, it might just be easier to join a Samba DC to the domain and do it yourself. Rowland
I think you are missing the point... the windows sysadmins have set up sites, but they are blaming slow logins on Samba not correctly interpreting the site and trying to contact a remote DC in a different site... so I need to know how the DC communicates the site information to the client. Is it just a modified DNS server that tries to give a set of local DC's in the DNS SRV query, or is it doing something else? If it's just modified DNS then I can snoop the network traffic and show conclusively if it's working or not. James On 18/05/2019 23:15, Rowland penny via samba wrote:> On 18/05/2019 22:43, A. James Lewis via samba wrote: >> I'm sure the Windows admins have set up the "Sites" as required... but >> when trying to resolve issues with logon, the Windows admins are >> assuming that Samba doesn't support "sites" and blaming that for the >> issue... so, I'm hoping someone will tell me how the client determines >> the correct site, and the AD controllers in that site, and ultimately if >> Samba/Winbind should support it. Obviously also anything we might be >> doing which would cause it not to work. >> > Unless you have asked them to set up sites, all your domain computers > will be in the 'Default-First-Site-Name' site. A 'site' will need to > be created and then all your computers moved into this site. Samba > does support sites and it works the same way as on Windows, so just > tell your Windows sysadmins to forget the Linux bit and set AD as if > they were all Windows computers. > > Depending on what version your Windows DC's are, it might just be > easier to join a Samba DC to the domain and do it yourself. > > Rowland >