samba - Apr 2022 - Winbind authentication issues when single Domain Controller down

Samba: Version 4.13.17-Ubuntu
Winbindd: Version 4.13.17-Ubuntu

I would expect Samba to handle it fine, also. I wonder if there is
something in our config that is preventing it from working properly. Would
"dns proxy = no" do that? I started exploring that as a possible item
to
test outside of business hours.

I included my smb.conf and nsswitch.conf as an attachment in the original
post. I am including inline here just in case.

#############
smb.conf
#############
[global]
workgroup = OURDOMAIN
server string = Linux Server %v
load printers = no

###########################
## Added as a test to prevent mbxmenu from breaking. This is a problem
where the Samba
## mounts could neither be accessed nor umounted (at least very quickly).
We suspected
## that the core issue was a locking or oplock problem but we were not able
to prove anything.
## The change here has not been confirmed with certainty that it has
prevented our issues described above.
min protocol = SMB2
deadtime = 10
##########################

server signing = mandatory
realm = OURDOMAIN.COMPANY_DOMAIN.COM
use sendfile = no
dns proxy = no
smb ports = 139 445
security = ADS
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
disable netbios = no
dos charset = ASCII
unix charset = UTF8
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
map hidden = no
map system = no
map archive = no
map readonly = no
store dos attributes = yes
ea support = yes
unix extensions = no

winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

## Cache and specify server if we lose/reboot one of the domain controllers
winbind offline logon = yes
winbind cache time = 600
password server = dc1.ourdomain.company_domain.com,
dc2.ourdomain.company_domain.com,dc3.ourdomain.company_domain.com

## Add winbind mapping for shell and home directory - part of replacing
mbx_sssd_ldap for img Forge servers
template shell = /bin/bash
template homedir = /home/%u

# Default idmap config used for BUILTIN and local accounts/groups
# https://wiki.samba.org/index.php/Idmap_config_ad
idmap config *:backend = tdb
idmap config *:range = 2000-9999

# idmap config for domain
idmap config OURDOMAIN:backend = ad
idmap config OURDOMAIN:schema_mode = rfc2307
idmap config OURDOMAIN:range = 10000-99999

# Use settings from AD for login shell and home directory
winbind nss info = rfc2307


##############
# nsswich.conf
##############

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat winbind
gshadow: files

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
sudoers: files

Rich

*Sr. Systems Engineer*



On Mon, Apr 25, 2022 at 1:42 PM Jeremy Allison <jra at samba.org> wrote:
> On Mon, Apr 25, 2022 at 11:56:22AM -0500, Richard Anderson via samba wrote:
> >When one of our domain controllers is restarted or down, occasionally
we
> >will have a large number of errors on our Samba server. This appears to
> >depend on whatever domain controller is being used by winbind.
> >
> >We found this out when several of our users reported they could not
login
> >to our Samba server. Logs indicated NT_STATUS_NO_LOGON_SERVERS. This
was
> on
> >a reboot of one of our domain controllers. Once the domain controller
was
> >back up we were able to login to the server.
> >
> >Does the 'password server' setting work? Is there another
setting I should
> >consider?
> >
> >We use winbind for authentication. When the domain controller that is
> being
> >used is down, wbinfo -P will take several minutes before failing and
does
> >not appear to switch to another server on the second or third attempt.
> >
> >*Tried (smb.conf)*
> >
> >   - winbind offline login = yes
> >   - winbind cache time = 600
> >   - password server = dc1.ourdomain.company_domain.com,
> >   dc2.ourdomain.company_domain.com,dc3.ourdomain.company_domain.com
>
> What Samba version ? Modern Samba code to find a DC will
> ping DC's in parallel and pick the first one that responds.
>

On Mon, Apr 25, 2022 at 02:17:33PM -0500, Richard Anderson
wrote:
>Samba: Version 4.13.17-Ubuntu
>Winbindd: Version 4.13.17-Ubuntu
>
>I would expect Samba to handle it fine, also. I wonder if there is
>something in our config that is preventing it from working properly. Would
>"dns proxy = no" do that? I started exploring that as a possible
item to
>test outside of business hours.
>
>I included my smb.conf and nsswitch.conf as an attachment in the original
>post. I am including inline here just in case.
I think removing the "password server" line and letting
winbindd look up the DC's itself might be the better
thing to do.

Either way, once the list of IP addresses is retrieved,
we use a function cldap_multi_netlogon() to send a CLDAP
ping to all addresses in the list. From the comment for
cldap_multi_netlogon():

/*
  * Do a parallel cldap ping to the servers. The first "min_servers"
  * are fired directly, the remaining ones in 100msec intervals. If
  * "min_servers" responses came in successfully, we immediately
reply,
  * not waiting for the remaining ones.
  */