[Samba] Samba as W2k3 AD domain member; how to configure domain controller failover?

Alex de Vaal a.vaal at nh-hotels.com
Mon Dec 13 16:58:33 GMT 2004


Dear list,

I have a question how you configure Samba (configured as a W2k3 domain
member) to failover to a secondary AD domain controller when the connection
to the primary domain controller fails.

First some info:

- Windows 2003 Active directory (native mode), currently running with 2
domain controllers.
- Samba (version 3.0.9) running on a RHL9 server (updated with kerberos
1.3.1-7), 
   samba is compiled against kerberos 1.3.1-7 and configured as AD domain
member. 
   The winbind daemon is used for AD user validation.
- IP addresses W2k3 domain controllers: 192.168.100.100 (adm01= domain
master) and 192.168.100.101 (adm02)
- IP address RHL9 server: 192.168.100.151
- DNS is properly configured on RHL9 server and W2k3 servers.

My smb.conf file looks like this:
[global] 
workgroup = TEST
realm = TEST.COM
security = ADS
password server = 192.168.100.100, 192.168.100.101
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /data/hom/%U
template shell = /bin/bash 

[grp]
	comment = Group Directory
	path = /data/grp
	valid users = @TEST.COM\DEP_TEST_MEMBER
	read only = No
	inherit permissions = Yes


resolv.conf looks like this:
nameserver 192.168.100.100
nameserver 192.168.100.101
search test.com
domain test.com 

nsswitch.conf looks like this:
passwd:     files winbind
shadow:     files
group:      files winbind
hosts:      files dns wins


"wbinfo -g" and "getent group" give the appropriate output. Via the chown
command I was able to give the AD group DEP_TEST_MEMBER access to the
/data/grp directory on the linux server (chmod 770 and chown "root:TEST\
DEP_TEST_MEMBER" 
XP clients can connect to the [grp] share on the samba server when they are
member of the AD group DEP_TEST_MEMBER and can store files on the share. So
far so good.

If I look with "netstat -na" I can see that the Samba server is connected to
the primary domain controller:
tcp        0      0 192.168.100.151:33837   192.168.100.100:389
ESTABLISHED
tcp        0      0 192.168.100.151:33843   192.168.100.100:445
ESTABLISHED

When the connection with the primary domain controller (192.168.100.100) is
suddenly lost, then samba will NOT failover to the second domain controller
(192.168.100.101). It is just trying to connect to the first configured one
all the time. "net ads info" will do a request at the second DC (after a
timeout of 15 sec, which I can configure to 2 seconds with "ldap timeout
=2").
"wbinfo -u" will give after a short while the error message: "Error looking
up domain users" and I have difficulty to connect to the Linux server with
Telnet (it tries the user that logonwith Telnet, even the root user,  to
validate against the AD). The XP clients will loose the connection to the
[grp] share after a short while. This will become a "status quo", nothing
changes.

The only thing I can do is manually failover to get Samba working properly
again. I changed the global option "password server" to "password server =
192.168.100.101, 192.168.100.100", rebooted the Linux server and now the
Samba server connected to the second DC:
netstat -na
========
tcp        0      0 192.168.100.151:33998   192.168.100.101:389
ESTABLISHED
tcp        0      0 192.168.100.151:34004   192.168.100.101:445
ESTABLISHED

"wbinfo -g" and "getent group" give the appropriate output and the XP client
can connect to the [grp] share again.

How can I configure Samba to failover to the second DC, so even XP clients
with connection to Samba shares won't even notice it when the connection to
the primary DC gets lost? I googled for  h o u r s  for this answer and I
found that someone used "net ads join -S" option and used the "join" option
on all DC's in the AD. (look at
http://lists.samba.org/archive/samba/2004-October/093721.html). I tried that
too, but it didn't help.

This problem is bugging me for quite a while now (also in my real
environment), so it became a very important question for me (but the
solution is more important ;-), therefore any help is very much appreciated!

Regards,
Alex.




More information about the samba mailing list