[Samba] Automatic ADS server fallback
Alex de Vaal
AVaal at nh-hotels.nl
Tue Jun 15 10:10:09 GMT 2004
I have a question about automatic ADS server fallback of a Samba domain member
in a W2k3 environment.
I describe now a little our real production ADS environment;
Madrid: 2 W2k3 ADS servers (ADM01 and ADM02) in a cluster; both are a global
catalog server in the XXXX.COM realm.
Berlin; 1 W2k3 ADS server (ADM03); is also a global catalog server in the
The ADS servers in Madrid and Berlin are replicated.
Düsseldorf; RHL9 server with Samba 3.0.4 (compiled with MIT 1.3.1-7 and CUPS)
as a domain member of the XXXX.COM realm. Winbind and Kerberos are used as
authentication method against ADS.
Connections between the various sites: Intranet, 128 Kb/s
The RHL9 server in Düsseldorf is joined to the domain and is working properly. XP
clients in Düsseldorf logon to the ADS domain and via the login script theyll get their
shares on the local Samba server and this works fine.
Normally the Samba server is communicating with the ADM03 server in Berlin (The
1st DNS server is the ADM03 server; ADS is configured that clients and domain
members in the subnet of Düsseldorf first contact the ADS server in Berlin).
How can I configure Samba 3.0.4 that an automatic ADS server fallback is executed
if the connection with the ADS server in Berlin fails?
In other words; when communication with the ADM03 server fails, Samba must
automatically contact the ADM01 or ADM03 server in Madrid for its ADS queries.
I already used the entry password server = adm03.XXXX.com, adm02.XXXX.com,
* in my smb.conf file.
My krb5.conf file doesnt exist, because MIT 1.3.1 searches its KDC servers via
DNS, or must I specify for Kerberos also a fallback?
The winbind cache time is default (300 sec). Must I specify a larger value (e.g. 900
sec.) on remote sites with a relative slow connection?
Thanx for any suggestion,
Here is my smb.conf file (only the global section):
# Global parameters
workgroup = XXXX
realm = XXXX.COM
server string = %h server (Samba %v)
security = ADS
password server = adm03.XXXX.com, adm01.XXXX.com, *
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /data/hom/%U
template shell = /bin/bash
printer admin = root, '@XXXX.COM\Domain Admins',
oplocks = No
level2 oplocks = No
More information about the samba