[Samba] use password server= when security=ADS or not???

Alex de Vaal AVaal at nh-hotels.nl
Wed Jun 9 14:57:16 GMT 2004 

On 9 Jun 2004 at 8:00, Gerald (Jerry) Carter wrote:

> | In the man page of samba also reside about  password server 
> | the following: The advantage of using  security = domain 
> | is that if you list several hosts in the  password server 
> | option then smbd will try each in turn till it finds one
> | that responds.  This is useful in case your primary
> | server goes down. Does this also work, when  security = ADS 
> | ?  I d like that the samba domain server
> | tries to contact each password server in the list
> | till it finds one that responds.
> 
> When 'security = ads', Samba uses the password server
> for any NTLM authentication as well as ldap queries.
> Krb5 ticket verification is handled by the krb5 libs
> (outside of Samba).

Right.

I'm using winbind (which is the Samba-3 NTLM authentication daemon) in my 
configuration, so in my case it is better to specify at "password server" all the DNS 
names of my ADS servers instead of leaving it blank?

I know that Krb5 ticket is handled by the krb5 libs. I have no krb5.conf specified, so it 
uses the DNS for resolving the KDC servers (the ADS servers create SRV records in 
DNS for each KDC in the realm)

In my case "password server=" is not specified in smb.conf. I see however 
sometimes strange things in winbindd.log on a remote Samba domain member 
server that it can't find sometimes the LDAP server, port 445 and port 139, because 
the connection to the ADS server is sometimes very slow (is a router connection).
I was wondering if it is better to specify all the ADS servers in the realm at "password 
server=", so it is looking for the other servers in the realm if the connection to an 
ADS server is slow.


Winbindd.log
==========

[2004/06/08 19:28:41, 1] libads/ldap.c:ads_connect(222)
  Failed to get ldap server info
[2004/06/08 19:28:50, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:445
[2004/06/08 19:29:07, 1] libsmb/cliconnect.c:cli_start_connection(1388)
  session request to NHADM01 failed (Call timed out: server did not respond after 
10000 milliseconds)
[2004/06/08 19:29:15, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:139
[2004/06/08 19:29:15, 1] libsmb/cliconnect.c:cli_connect(1297)
  Error connecting to 10.2.20.240 (Operation already in progress)
[2004/06/08 19:29:15, 1] libsmb/cliconnect.c:cli_start_connection(1377)
  cli_full_connection: failed to connect to *SMBSERVER<20> (10.2.20.240)
[2004/06/08 19:29:34, 1] libsmb/cliconnect.c:cli_start_connection(1408)
  failed negprot
[2004/06/08 19:29:43, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:445
[2004/06/08 19:29:52, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:139
[2004/06/08 19:29:52, 1] libsmb/cliconnect.c:cli_connect(1297)
  Error connecting to 10.2.20.240 (Operation already in progress)
[2004/06/08 19:29:52, 1] libsmb/cliconnect.c:cli_start_connection(1377)
  cli_full_connection: failed to connect to NHADM01<20> (10.2.20.240)
[2004/06/08 19:30:02, 0] rpc_client/cli_pipe.c:rpc_api_pipe(424)
  cli_pipe: return critical error. Error was Call timed out: server did not respond after 
10000 milliseconds
[2004/06/08 19:30:35, 1] libads/ldap.c:ads_connect(222)
  Failed to get ldap server info
[2004/06/08 19:30:39, 1] nsswitch/winbindd_user.c:winbindd_getpwuid(246)
  could not lookup sid S-1-5-21-1130960580-3026470530-2041411792-1380
[2004/06/08 19:30:39, 1] nsswitch/winbindd_user.c:winbindd_getpwuid(246)
  could not lookup sid S-1-5-21-1130960580-3026470530-2041411792-1380
[2004/06/08 19:30:59, 1] libads/ldap.c:ads_connect(222)
  Failed to get ldap server info
[2004/06/08 19:31:11, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:445

and somewhat later.....

[2004/06/08 20:45:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 20:46:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 20:46:28, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 20:55:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:05:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:15:53, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:16:28, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:25:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist

which is normal... (in 3.0.4) ;-)

Regards,
Alex.

More information about the samba mailing list