samba - Aug 2025 - Winbind does not immediately fail over to secondary DC on one client

Please see inline comments.

On Thu, 21 Aug 2025 12:36:35 +0200
Luis Peromarta via samba <samba at lists.samba.org> wrote:
> I see.
I didn't, until I scrolled down Luis's post.

Please ensure you reply to the list.
> 
> I just feel you don?t have enough redundancy with only one BIND
> server, and don?t see how Samba can work pointing to himself if full
> DNS is running somewhere else.
Every Samba AD DC dns server (like Windows DCs) is authoritative for the
AD dns domain, this means that the domain members must use the DCs as
their nameservers, which will then forward anything outside the AD dns
domain to another dns server outside the AD dns domain. These 'outside'
dns servers obtain the required dns data and the returns it to the DC,
which then passes it on to the client.

What this means is that your DCs can use your Bind9 dns servers as
forwarders, but only for anything outside the AD dns domain.
 
> 
> I would do the opposite, for consistency, use the DCs as primary DNS,
> and forward out-of-scope requests to the BIND server via ?forward?
> line in smb.conf. Still not enough redundancy on the name resolution.
> 
> This is another matter and may have nothing to do with your original
> query. On Aug 21, 2025 at 11:58 +0200, Lauge Rasmussen
> <lauge.rasmussen at nru.dk>, wrote:
> > Hey Luis
> >
> > Thank you for the quick answer.
> >
> > You are of course right, but the problem persists even when their
> > DNS settings are set to themselves. (Their full IP addresses). I
> > thought it would be fine having themselves as the first DNS server,
> > but I can see that is wrong.
> >
> > The way we have it set up now is that we have our DNS server,
> > running bind9/named. This is our internal DNS server which controls
> > our internal domain (nru.dk). This DNS server then forwards all
> > queries in our samba domain (sambadomain.nru.dk) to our domain
> > controllers. It does this by having a zone rule, where it has our
> > DCs as forwarders. This seems different from the article you have
> > linked, where the Samba DCs forwards to the internal DNS server(s)
> > (PiHoles in the case you've sent me).
You appear to be doing it the opposite way to normal, but it should
work if your bind9 has things like this:

zone "samdom.example.com" IN {
    type forward;
    forwarders {
        192.168.1.2; 192.168.1.3;
    };
    forward only;
};

Where 'samdom.example.com' is the AD dns domain and the IPs are the AD
DCs.

The above was taken from a caching name server I have run in the past,
so I know it worked when I tested it.
> >
> > Is this setup wrong/the reason we are seeing this error?
Bit hard to say, I just set each DC to use itself as its only
nameserver, if a DC needs to use another DC for a nameserver, then
usually it is having extreme problems and needs fixing.

I would ensure your DCs are using themselves as their nameservers (do
not use 127.0.0.1) and then point the domain members at the DCs as
their nameservers. Set the DCs to forward anything outside the AD
domain to an 'external' dns server. If at that point you are still
getting problems, then there must be something wrong.

Rowland

I have to correct myself: this is a problem on all our linux clients, 
not just one of them, as I originally thought. I was testing it in the 
wrong way before, where I didn't query a user on DC1 before shutting DC1 
down and trying to query for a user on DC2. (Indicating a cache issue) 
Just to be clear, these are the steps to recreate:

1. On a linux client connected to samba ad run "wbinfo -P" to find
what
DC the client is connected to e.g. (dc connection to 
DC1.samdom.example.com)

2. Query for a user "wbinfo -i test"

3. Stop the samba service on the DC from step 1 (e.g. DC1)

4. Check that the client has connected to the secondary DC "wbinfo -P"
(dc connection to DC2.....)

5. Run "wbinfo -i test" and it returns an error
(WBC_ERR_DOMAIN_NOT_FOUND)


To answer your question:

Yes, you're correct that we have set it up like:

zone "samdom.example.com" IN {
     type forward;
     forwarders {
         192.168.1.2; 192.168.1.3;
     };
     forward only;
};

We have also set it up, as you describe it in your last paragraph, with 
the DCs having only their own IP (not localhost) as their DNS server. 
(This makes them able to only look up domain addresses, as we have not 
set up forwarding from inside the DC, but that's easily fixed.)

I tried setting the client to use the DCs as its DNS servers, as you 
suggested. However it didn't remove the problem.

As for Luis comments about redundancy:?We do have redundancy for our 
BIND server, where we are running 2 internal BIND Servers. We are quite 
happy with our current DNS setup, so we would like to keep it, as long 
as it works. However it is good to keep in mind that we can also do it 
the other way around with the DCs as DNS servers with a forwarding 
clause in smb.conf.

For a bit more information:

We are only testing it on our test environment, where we are seeing the 
problem with our clients not switching properly. The best solution we 
have come up with so far is just refreshing the cache if our server 
detects (through a Cronjob) that it cannot look usernames up, while 
winbind is running. This does work, but is not very nice. We are afraid 
that we will only add more points of failure to our live environment if 
we set up a secondary DC, where it will render the DC useless for an 
hour for half the clients if any of the two DCs crash. This is why we 
wanted to try to figure out what the problem is, before we tried on our 
live environment, so we don't end up with a less stable environment.

Thank you very much for the help


On 8/21/2025 1:38 PM, Rowland Penny via samba wrote:
> Please see inline comments.
>
> On Thu, 21 Aug 2025 12:36:35 +0200
> Luis Peromarta via samba <samba at lists.samba.org> wrote:
>
>> I see.
> I didn't, until I scrolled down Luis's post.
>
> Please ensure you reply to the list.
>
>> I just feel you don?t have enough redundancy with only one BIND
>> server, and don?t see how Samba can work pointing to himself if full
>> DNS is running somewhere else.
> Every Samba AD DC dns server (like Windows DCs) is authoritative for the
> AD dns domain, this means that the domain members must use the DCs as
> their nameservers, which will then forward anything outside the AD dns
> domain to another dns server outside the AD dns domain. These
'outside'
> dns servers obtain the required dns data and the returns it to the DC,
> which then passes it on to the client.
>
> What this means is that your DCs can use your Bind9 dns servers as
> forwarders, but only for anything outside the AD dns domain.
>   
>> I would do the opposite, for consistency, use the DCs as primary DNS,
>> and forward out-of-scope requests to the BIND server via ?forward?
>> line in smb.conf. Still not enough redundancy on the name resolution.
>>
>> This is another matter and may have nothing to do with your original
>> query. On Aug 21, 2025 at 11:58 +0200, Lauge Rasmussen
>> <lauge.rasmussen at nru.dk>, wrote:
>>> Hey Luis
>>>
>>> Thank you for the quick answer.
>>>
>>> You are of course right, but the problem persists even when their
>>> DNS settings are set to themselves. (Their full IP addresses). I
>>> thought it would be fine having themselves as the first DNS server,
>>> but I can see that is wrong.
>>>
>>> The way we have it set up now is that we have our DNS server,
>>> running bind9/named. This is our internal DNS server which controls
>>> our internal domain (nru.dk). This DNS server then forwards all
>>> queries in our samba domain (sambadomain.nru.dk) to our domain
>>> controllers. It does this by having a zone rule, where it has our
>>> DCs as forwarders. This seems different from the article you have
>>> linked, where the Samba DCs forwards to the internal DNS server(s)
>>> (PiHoles in the case you've sent me).
> You appear to be doing it the opposite way to normal, but it should
> work if your bind9 has things like this:
>
> zone "samdom.example.com" IN {
>      type forward;
>      forwarders {
>          192.168.1.2; 192.168.1.3;
>      };
>      forward only;
> };
>
> Where 'samdom.example.com' is the AD dns domain and the IPs are the
AD
> DCs.
>
> The above was taken from a caching name server I have run in the past,
> so I know it worked when I tested it.
>
>>> Is this setup wrong/the reason we are seeing this error?
> Bit hard to say, I just set each DC to use itself as its only
> nameserver, if a DC needs to use another DC for a nameserver, then
> usually it is having extreme problems and needs fixing.
>
> I would ensure your DCs are using themselves as their nameservers (do
> not use 127.0.0.1) and then point the domain members at the DCs as
> their nameservers. Set the DCs to forward anything outside the AD
> domain to an 'external' dns server. If at that point you are still
> getting problems, then there must be something wrong.
>
> Rowland
>