samba - May 2019 - SRV records.

I think you are missing the point... the windows sysadmins have set up
sites, but they are blaming slow logins on Samba not correctly
interpreting the site and trying to contact a remote DC in a different
site... so I need to know how the DC communicates the site information
to the client.

Is it just a modified DNS server that tries to give a set of local DC's
in the DNS SRV query, or is it doing something else?

If it's just modified DNS then I can snoop the network traffic and show
conclusively if it's working or not.

James


On 18/05/2019 23:15, Rowland penny via samba wrote:
> On 18/05/2019 22:43, A. James Lewis via samba wrote:
>> I'm sure the Windows admins have set up the "Sites" as
required... but
>> when trying to resolve issues with logon, the Windows admins are
>> assuming that Samba doesn't support "sites" and blaming
that for the
>> issue... so, I'm hoping someone will tell me how the client
determines
>> the correct site, and the AD controllers in that site, and ultimately
if
>> Samba/Winbind should support it.  Obviously also anything we might be
>> doing which would cause it not to work.
>>
> Unless you have asked them to set up sites, all your domain computers
> will be in the 'Default-First-Site-Name' site. A 'site'
will need to
> be created and then all your computers moved into this site. Samba
> does support sites and it works the same way as on Windows, so just
> tell your Windows sysadmins to forget the Linux bit and set AD as if
> they were all Windows computers.
>
> Depending on what version your Windows DC's are, it might just be
> easier to join a Samba DC to the domain and do it yourself.
>
> Rowland
>

On 19/05/2019 01:53, A.James Lewis via samba wrote:
> I think you are missing the point...
No, you never gave us the point, this is the first time you said that 
your computers are actually in a 'site'
> the windows sysadmins have set up
> sites, but they are blaming slow logins on Samba not correctly
> interpreting the site and trying to contact a remote DC in a different
> site... so I need to know how the DC communicates the site information
> to the client.
They communicate just the same as a Windows clients, so if you have slow 
logins, then I suggest you check that your clients are actually set up 
to use the DC(s) in the site as their nameserver.

Try reading this:

https://wiki.samba.org/index.php/Active_Directory_Sites

It should help you understand sites better, but from the Samba point of 
view it requires updating, as you now can use samba-tool instead of ADUC.

Rowland

OK, fair point... perhaps I wasn't clear enough, this happens a lot... 
probably my brain just operates on a different wavelength.... in my 
original message I said "what method does it use to decide which is the 
correct (most local?) domain controller to connect to"


The answer I got was "it uses sites, you need to set up sites"... the 
answer I was hoping for was one of

a) "If your AD controller has sites set up, and you do the SRV lookup 
against the AD controllers own DNS server then it will send you only 
local AD controllers based on the source subnet of the DNS query"

or

b) "If your AD controller has sites set up,then there will be some 
broadcast magic happening from the AD controller informing the clients 
how to prioritize the AD servers returned from the SRV query"

or

c) /something else/

Having read the samba wiki article on sites you linked (Thanks muchly), 
and the microsoft technet it references, I'm now even more confused, 
since you stated that nothing needs to be done at the client and it 
works exactly like a windows client... and that samba does not support 
sites (which in light of the earlier comment, I took to mean that 
support for sites is not in the client).

However, the technet article states that "When a client requests a 
domain controller, it provides its site name to DNS."... which implies 
that there must be some support in the client... and the Samba Wiki 
article suggests that this information is encoded into the SRV query, 
under a "sites" subdomain, which also implies that the client is 
complicit, and must know it's site name.

Finally, the original comment is that it does not work if I query via a 
BIND nameserver, which seems not to make sense if it's just encoded in a 
subdomain, a'la 
"_ldap._tcp._MySite_._sites.dc._msdcs.samdom.example.com". This makes
me
think that there must be a "site =" parameter in the smb.conf.

I hope it's clear why I'm confused.... and I apologize if I contributed 
to said confusion.

James


On 19/05/2019 08:45, Rowland penny via samba wrote:
> On 19/05/2019 01:53, A.James Lewis via samba wrote:
>> I think you are missing the point...
> No, you never gave us the point, this is the first time you said that 
> your computers are actually in a 'site'
>> the windows sysadmins have set up
>> sites, but they are blaming slow logins on Samba not correctly
>> interpreting the site and trying to contact a remote DC in a different
>> site... so I need to know how the DC communicates the site information
>> to the client.
>
> They communicate just the same as a Windows clients, so if you have 
> slow logins, then I suggest you check that your clients are actually 
> set up to use the DC(s) in the site as their nameserver.
>
> Try reading this:
>
> https://wiki.samba.org/index.php/Active_Directory_Sites
>
> It should help you understand sites better, but from the Samba point 
> of view it requires updating, as you now can use samba-tool instead of 
> ADUC.
>
> Rowland
>
>
>