On 20/04/2020 17:49, Andrea Cucciarre' via samba wrote:> Does the "password server" setting in the smb.conf achieve it?No, you shouldn't use this, you should allow Samba to choose the best DC to use.> > On 4/20/2020 6:40 PM, Andrea Cucciarre' wrote: >> Hello, >> >> Is there a way to provide a list of DC that Samba should try to join? >> I know that in command "net ads join" I can use "-S" to select with >> DC to use, but it seems it doesn't accept list, only one single server.Why do you feel you need to do this ? If you do not specify a DC to use during the join, Samba will search for the best DC to use. It might help if you can tell us why you need to specify a particular DC or list of DC's. Rowland
Hello Rowland, One of my customer is reporting that sometime intermittently they can't access the share. When the issue appear the "wbinfo ping-dc"? and "net ads info" show the following: # /opt/samba/bin/wbinfo --ping-dc checking the NETLOGON for domain[FLEET] dc connection to "" failed failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND # /opt/samba/bin/net ads info LDAP server: 10.5.20.13 LDAP server name: VSPWADRO01M.FLEET.AD Realm: FLEET.AD Bind Path: dc=FLEET,dc=AD LDAP port: 389 Server time: Mon, 20 Apr 2020 01:08:45 EDT KDC server: 10.5.20.13 Server time offset: 0 Last machine account password change: Tue, 03 Mar 2020 11:48:12 EST It seems the issue started when they added a read only domain controller, which is just VSPWADRO01M.FLEET.AD When the issue is recovered the "wbinfo ping-dc"? and "net ads info" show the following, so the DC selected is not VSPWADRO01M.FLEET.AD # /opt/samba/bin/net ads info LDAP server: 10.5.2.11 LDAP server name: PSPWAD01P.FLEET.AD Realm: FLEET.AD Bind Path: dc=FLEET,dc=AD LDAP port: 389 Server time: Mon, 20 Apr 2020 03:59:19 EDT KDC server: 10.5.2.11 Server time offset: 0 Last machine account password change: Tue, 03 Mar 2020 11:48:12 EST # /opt/samba/bin/wbinfo --ping-dc checking the NETLOGON for domain[FLEET] dc connection to "vspwad01p.FLEET.AD" succeeded Regards Andrea Regards Andrea Cucciarre' On 4/20/2020 7:01 PM, Rowland penny via samba wrote:> On 20/04/2020 17:49, Andrea Cucciarre' via samba wrote: >> Does the "password server" setting in the smb.conf achieve it? > No, you shouldn't use this, you should allow Samba to choose the best > DC to use. >> >> On 4/20/2020 6:40 PM, Andrea Cucciarre' wrote: >>> Hello, >>> >>> Is there a way to provide a list of DC that Samba should try to join? >>> I know that in command "net ads join" I can use "-S" to select with >>> DC to use, but it seems it doesn't accept list, only one single server. > > Why do you feel you need to do this ? > > If you do not specify a DC to use during the join, Samba will search > for the best DC to use. > > It might help if you can tell us why you need to specify a particular > DC or list of DC's. > > Rowland > > > >
On Monday, 20 April 2020 10:01:32 PDT Rowland penny via samba wrote:> On 20/04/2020 17:49, Andrea Cucciarre' via samba wrote: > > Does the "password server" setting in the smb.conf achieve it? > No, you shouldn't use this, you should allow Samba to choose the best DC > to use. > > > > On 4/20/2020 6:40 PM, Andrea Cucciarre' wrote: > >> Hello, > >> > >> Is there a way to provide a list of DC that Samba should try to join? > >> I know that in command "net ads join" I can use "-S" to select with > >> DC to use, but it seems it doesn't accept list, only one single server. > > Why do you feel you need to do this ? > > If you do not specify a DC to use during the join, Samba will search for > the best DC to use. > > It might help if you can tell us why you need to specify a particular DC > or list of DC's. >If there is a need to provide such list that may be a sign that domain is misconfigured. One of the situations I've ran into in the past is a customer who had DCs in the other sites inaccessible to the machines in a given site, yet the DNS SRV RRs still contained those DCs. In a setup like that it is recommended that only the DCs that are actually reachable would be returned by the DNS servers in a given site. Not following the recommendation merely slows things down for Windows, but can outright break tool like adcli (a situation my patch to it addresses). And even if all the DCs are properly reachable, normally the SRV RRs should contain the priority/weight numbers that would be influenced by the site link settings such that the slower or costlier the site link the less likely a client to select a DC in that site. All of this requires extra configuration, but if you have the control over the domain that one-time configuration removes the necessity of doing things like manually passing lists of preferred DCs everywhere. That said, if you have no control over the domain (say, you're doing it for an external customer who's dead set on not fixing their domain), being able to pass a list of preferred DCs can be useful. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20200420/2b9d4167/signature.sig>
On 20/04/2020 18:20, Andrea Cucciarre' wrote:> Hello Rowland, > > One of my customer is reporting that sometime intermittently they > can't access the share. > When the issue appear the "wbinfo ping-dc"? and "net ads info" show > the following: > > # /opt/samba/bin/wbinfo --ping-dc > checking the NETLOGON for domain[FLEET] dc connection to "" failed > failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND > > # /opt/samba/bin/net ads info > LDAP server: 10.5.20.13 > LDAP server name: VSPWADRO01M.FLEET.AD > Realm: FLEET.AD > Bind Path: dc=FLEET,dc=AD > LDAP port: 389 > Server time: Mon, 20 Apr 2020 01:08:45 EDT > KDC server: 10.5.20.13 > Server time offset: 0 > Last machine account password change: Tue, 03 Mar 2020 11:48:12 EST > > It seems the issue started when they added a read only domain > controller, which is just VSPWADRO01M.FLEET.AD > When the issue is recovered the "wbinfo ping-dc"? and "net ads info" > show the following, so the DC selected is not VSPWADRO01M.FLEET.AD > > # /opt/samba/bin/net ads info > LDAP server: 10.5.2.11 > LDAP server name: PSPWAD01P.FLEET.AD > Realm: FLEET.AD > Bind Path: dc=FLEET,dc=AD > LDAP port: 389 > Server time: Mon, 20 Apr 2020 03:59:19 EDT > KDC server: 10.5.2.11 > Server time offset: 0 > Last machine account password change: Tue, 03 Mar 2020 11:48:12 EST > > # /opt/samba/bin/wbinfo --ping-dc > checking the NETLOGON for domain[FLEET] dc connection to > "vspwad01p.FLEET.AD" succeededThis sounds like a dns problem, are you pointing the clients at the RODC and is it the nearest DC ? I would check the network, cables, switches etc. Rowland