[Samba] ADS server fallback

Alex de Vaal a.vaal at nh-hotels.com
Wed Jul 7 10:20:52 GMT 2004


Dear list,

I have a question about ADS server fallback of a Samba domain member in a
W2k3 environment.

I describe now a little our real production ADS environment;

Madrid: two W2k3 ADS servers (ADM01 and ADM02) in a cluster; both are a
global catalog servers in the XXXX.COM realm.
Berlin; one W2k3 ADS server (ADM03); is also a global catalog server in the
XXXX.COM realm.
The ADS servers in Madrid and Berlin are replicated.

Düsseldorf; RHL9 server with Samba 3.0.4 (compiled with MIT 1.3.1-7 and
CUPS) as a domain member of the XXXX.COM realm. Winbind and Kerberos are
used as authentication method against ADS.

Connections between the various sites: leased line, 128 Kb/s


The RHL9 server in Düsseldorf is joined to the XXXX.COM realm and is working
properly. XP clients in Düsseldorf logon to the ADS domain and via the login
script they'll get their shares on the local Samba server and this works
fine. Normally the Samba server in Düsseldorf is communicating with the
ADM03 server in Berlin (The 1st DNS server is the ADM03 server; ADS is
configured that clients and domain members in the subnet of Düsseldorf first
contact the ADS server in Berlin).

Question:
How can I configure Samba 3.0.4 that an ADS server fallback is performed if
the connection with the ADS server in Berlin fails? In other
words; when communication with the ADM03 server fails (leased line with
Berlin breaks down), Samba must automatically contact the ADM01 or ADM02
server in Madrid for its ADS queries.

I already used the entry  " password server = adm03.XXXX.com,
adm01.XXXX.com, * "  in my smb.conf file. My krb5.conf file doesn't exist,
because MIT 1.3.1 searches its KDC servers via DNS, or must I specify for
Kerberos also a fallback (contents of krb5.conf: [libdefaults]
 dns_fallback = true)?

The winbind cache time is default (300 sec). Must I specify a larger value
(e.g. 900 sec.) on remote sites with a relative slow connection?

Thanx for any suggestion,
Alex.
(sorry for the stupid disclaimer underneath this e-mail, I can't help it...
:)


Here is my smb.conf file (only the global section):

[global]
	workgroup = XXXX
	realm = XXXX.COM
	server string = %h server (Samba %v)
	security = ADS
	password server = adm03.XXX.com, adm01.XXX.com, *
	passwd program = /usr/bin/passwd %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
	unix password sync = Yes
	log file = /var/log/samba/%m.log
	max log size = 200
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	add user script = /usr/sbin/useradd -d /dev/null -g 100 -s
/bin/false -M %u
	add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s
/bin/false -M %u
	domain master = No
	dns proxy = No
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template homedir = /data/hom/%U
	template shell = /bin/bash
	printer admin = root, '@XXXX.COM\Domain Admins',
@XXXX.COM\DEP_ADMIN_GERMANY
	oplocks = No
	level2 oplocks = No 


Visit our Web site: http://www.nh-hotels.com
This message is from NH HOTELES and it is private and confidential.
Its content may be legally protected.Reception by a non-intended person does not waive legal protection rights.
If you receive this message by mistake, please delete it from your system and report the sender.
Although this message has been cleared for viruses using currently available virus definitions before sending,
it is the responsibility of the receiver to ensure it is virus-free.Thank you.

 


More information about the samba mailing list