Richard Anderson
2022-Apr-26 13:27 UTC
[Samba] Winbind authentication issues when single Domain Controller down
That doesn't appear to be what is occurring. We had the server configured without the "password server" line initially. Adding it in the configuration (along with "winbind offline logon" and "winbind cache time") was an attempt to see if it made a difference. After removing those lines, checking wbinfo -P for the domain controller used, shutting down that domain controller, and running wbinfo -P again, results in a long delay of two minutes before canceling the test and starting the domain controller. I tested the same process with 'dns proxy = yes' with the same results. We have our domain controllers on a separate subnet and DNS is relayed via our firewall. However, the tests I ran against the domain (using nslookup) appeared ok. Are there any other tests or settings I can try? Rich *Sr. Systems Engineer* On Mon, Apr 25, 2022 at 2:30 PM Jeremy Allison <jra at samba.org> wrote:> On Mon, Apr 25, 2022 at 02:17:33PM -0500, Richard Anderson wrote: > >Samba: Version 4.13.17-Ubuntu > >Winbindd: Version 4.13.17-Ubuntu > > > >I would expect Samba to handle it fine, also. I wonder if there is > >something in our config that is preventing it from working properly. Would > >"dns proxy = no" do that? I started exploring that as a possible item to > >test outside of business hours. > > > >I included my smb.conf and nsswitch.conf as an attachment in the original > >post. I am including inline here just in case. > > I think removing the "password server" line and letting > winbindd look up the DC's itself might be the better > thing to do. > > Either way, once the list of IP addresses is retrieved, > we use a function cldap_multi_netlogon() to send a CLDAP > ping to all addresses in the list. From the comment for > cldap_multi_netlogon(): > > /* > * Do a parallel cldap ping to the servers. The first "min_servers" > * are fired directly, the remaining ones in 100msec intervals. If > * "min_servers" responses came in successfully, we immediately reply, > * not waiting for the remaining ones. > */ > >
Rowland Penny
2022-Apr-26 13:36 UTC
[Samba] Winbind authentication issues when single Domain Controller down
On Tue, 2022-04-26 at 08:27 -0500, Richard Anderson via samba wrote:> > We have our domain controllers on a separate subnet and DNS is > relayed via > our firewall. However, the tests I ran against the domain (using > nslookup) > appeared ok.I think you need to explain that in a bit more detail. It sounds like your Samba AD DC's are in one subnet and your clients are in another. If this is the case, you should be using 'sites', but you would still need a minimum of one DC in each site. Rowland