[Samba] Automatic ADS server fallback

Alex de Vaal AVaal at nh-hotels.nl
Tue Jun 15 10:10:09 GMT 2004 

Dear list,

I have a question about automatic ADS server fallback of a Samba domain member 
in a W2k3 environment.

I describe now a little our real production ADS environment;

Madrid: 2 W2k3 ADS servers (ADM01 and ADM02) in a cluster; both are a global 
catalog server in the XXXX.COM realm.
Berlin; 1 W2k3 ADS server (ADM03); is also a global catalog server in the 
XXXX.COM realm.

The ADS servers in Madrid and Berlin are replicated.

Düsseldorf; RHL9 server with Samba 3.0.4 (compiled with MIT 1.3.1-7 and CUPS) 
as a domain member of the XXXX.COM realm. Winbind and Kerberos are used as 
authentication method against ADS.

Connections between the various sites: Intranet, 128 Kb/s


The RHL9 server in Düsseldorf is joined to the domain and is working properly. XP 
clients in Düsseldorf logon to the ADS domain and via the login script they’ll get their 
shares on the local Samba server and this works fine.
Normally the Samba server is communicating with the ADM03 server in Berlin (The 
1st DNS server is the ADM03 server; ADS is configured that clients and domain 
members in the subnet of Düsseldorf first contact the ADS server in Berlin).

Question:
How can I configure Samba 3.0.4 that an automatic ADS server fallback is executed 
if the connection with the ADS server in Berlin fails? 
In other words; when communication with the ADM03 server fails, Samba must 
automatically contact the ADM01 or ADM03 server in Madrid for its ADS queries.

I already used the entry “ password server = adm03.XXXX.com, adm02.XXXX.com, 
* ” in my smb.conf file.
My krb5.conf file doesn’t exist, because MIT 1.3.1 searches its KDC servers via 
DNS, or must I specify for Kerberos also a fallback?

The winbind cache time is default (300 sec). Must I specify a larger value (e.g. 900 
sec.) on remote sites with a relative slow connection?

Thanx for any suggestion,
Alex.

Here is my smb.conf file (only the global section):

# Global parameters
[global]
	workgroup = XXXX
	realm = XXXX.COM
	server string = %h server (Samba %v)
	security = ADS
	password server = adm03.XXXX.com, adm01.XXXX.com, *
	passwd program = /usr/bin/passwd %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
*passwd:*all*authentication*tokens*updated*successfully*
	unix password sync = Yes
	log file = /var/log/samba/%m.log
	max log size = 0
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
	add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M 
%u
	domain master = No
	dns proxy = No
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template homedir = /data/hom/%U
	template shell = /bin/bash
	printer admin = root, '@XXXX.COM\Domain Admins', 
@XXXX.COM\DEP_ADMIN_GERMANY
	oplocks = No
	level2 oplocks = No

More information about the samba mailing list