[Samba] ADS auth when primary AD server fails

Brian_Gautreau at Dell.com Brian_Gautreau at Dell.com
Mon Oct 10 20:52:02 GMT 2005

Im having some trouble getting, or even finding out if this works.  I
have read through the samba by example and all the docs i can get my
hands on and i cant get this to work.  Maybe it isn't supposed too....
I have setup samba under RHEL4 QU1 to authenticate to AD.  I am just
using samba to authenticate users for login purposes.  It works fine and
dandy until my primary AD box goes down.
I have a secondary AD server.  It has a full replication of AD, DNS, and
also hands out kerberos tickets.  My AD DNS has the listings for
_kerberos._tcp.gutbuster.local.  `dig SRV
_kerberos._tcp.gutbuster.local` returns both server entries results
regardless of which DNS server I use.
I dont seem to get very far once my primary has gone down.  The samba
host is able to get a new kerberos ticket from the secondary by running
`kinit administrator at GUTBUSTER.LOCAL` but can no longer get winbind info
with `wbinfo` and getent passwd fails to pull AD info.  Have I said
enough yet?  
my samba host is
my ad primary is
my ad secondary is
I have forced kerberos to use DNS to lookup the KDC
(dns_lookup_kdc=true) in the krb5.conf and i dont have any of the
KDC=  I have tried using 'password server = *', 'password
server =', and removing the 'password server='
line all together.  
Does anyone know if this setup even works?  Remember, It isn't that I
cant get AD to authenticate, its only when the primary AD server fails
and the secondary server is all that exists.
Here is my krb5.conf and my smb.conf.......
[root at bar ~]# cat /etc/krb5.conf 
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 default_realm = GUTBUSTER.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = true
  default_domain = gutbuster.local
 .gutbuster.local = GUTBUSTER.LOCAL
 gutbuster.local = GUTBUSTER.LOCAL
 profile = /var/kerberos/krb5kdc/kdc.conf
 pam = {
   debug = true
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
[root at bar ~]# 

[root at bar ~]# cat /etc/samba/smb.conf 
   winbind separator = +
   winbind cache time = 10
   workgroup = GUTBUSTER.LOCAL
   winbind use default domain = yes
   client schannel = no
   security = ads
   encrypt passwords = yes
   idmap uid = 5000-5999
   idmap gid = 6000-6999
   winbind enum users = yes
   winbind enum groups = yes
   template shell = /bin/bash
   template homedir = /home/%U
[root at bar ~]# 

Brian Gautreau

More information about the samba mailing list