[Samba] ADS auth when primary AD server fails

Jeremy Allison jra at samba.org
Mon Oct 10 23:09:27 GMT 2005 

On Mon, Oct 10, 2005 at 03:52:02PM -0500, Brian_Gautreau at Dell.com wrote:
> Im having some trouble getting, or even finding out if this works.  I
> have read through the samba by example and all the docs i can get my
> hands on and i cant get this to work.  Maybe it isn't supposed too....
> I have setup samba under RHEL4 QU1 to authenticate to AD.  I am just
> using samba to authenticate users for login purposes.  It works fine and
> dandy until my primary AD box goes down.
>  
> I have a secondary AD server.  It has a full replication of AD, DNS, and
> also hands out kerberos tickets.  My AD DNS has the listings for
> _kerberos._tcp.gutbuster.local.  `dig SRV
> _kerberos._tcp.gutbuster.local` returns both server entries results
> regardless of which DNS server I use.
>  
> I dont seem to get very far once my primary has gone down.  The samba
> host is able to get a new kerberos ticket from the secondary by running
> `kinit administrator at GUTBUSTER.LOCAL` but can no longer get winbind info
> with `wbinfo` and getent passwd fails to pull AD info.  Have I said
> enough yet?  
>  
> my samba host is   10.180.23.69
> my ad primary is     10.180.23.57
> my ad secondary is 10.180.23.88
>  
> I have forced kerberos to use DNS to lookup the KDC
> (dns_lookup_kdc=true) in the krb5.conf and i dont have any of the
> KDC=10.180.23.88.  I have tried using 'password server = *', 'password
> server = 10.180.23.88 10.180.23.57', and removing the 'password server='
> line all together.  
>  
> Does anyone know if this setup even works?  Remember, It isn't that I
> cant get AD to authenticate, its only when the primary AD server fails
> and the secondary server is all that exists.

Very thorough, execpt you neglected to tell us what version of Samba
you're using..... That actually does help you know :-).

winbindd has been undergoing a lot of work recently - knowing the
version you're using would help us investigate.

Can you get an ethereal trace from your box when you're trying to
get it to fail over please ?

Jeremy.

More information about the samba mailing list