[Samba] Multiple 2003 Servers

Ian Barnes ian at opteqint.net
Tue Jan 31 05:56:24 GMT 2006 

Hi,

I am busy trying to get another 2003 server setup and working so that we
have backup servers when authenticating to AD. I believe the way we have to
do it is to not specify a server when joining the domain, but rather just
connect to the domain. Here is what I did.

I installed a standard 2003 server, and then installed a second one, making
it another controller in the domain. So that seems fine, and I can join each
one separately if I specify the server to connect to. On a side note, I
couldn't join the domain from my machines without using Kerberos for some
reason, I don't even remember telling the AD domain that Kerberos must be
used. Anyway, if I then remove the server name to connect to, I can then
(about 80%) of the time, join a server. Here is the confusing part though,
when I join the domain, it picks a random controller and joins to that one,
no specific one. What I need to be able todo is to join one of them, and
when that one fails, move over to another one. I have a suspicion that I
would need to re-issue the Kerberos ticket when moving servers, since I
assume they would have different tickets. Just to jump back to my 2003
configuration, the first domain controller I installed was a default install
using the 2003 mode (not 2000 native), with no other configuration changes.
Below is how I connect to the domain etc.

This is my Kerberos file
[root at server] ~ # cat /etc/krb5.conf 
[logging]
        default = FILE:/var/log/krb5lib.log

[libdefaults]
        default_realm = DEADMIND.LOCAL

[realms]
        DEADMIND.LOCAL = {
          kdc = deadmind.deadmind.local
          default_domain = deadmind.local
        }

[domain realm]
         .deadmind.local = DEADMIND.LOCAL
        deadmind.local = DEADMIND.LOCAL
[root at server] ~ #

This is my smb.conf file:
[root at server] ~ # cat /usr/local/etc/smb.conf
[global]
winbind separator=+
winbind cache time=10
workgroup=MASTERMIND
realm=deadmind.local
security=ads
winbind uid=10000-20000
winbind gid=10000-20000
winbind use default domain=yes
client ntlmv2 auth=yes
[root at server] ~ #

This is how I join etc:
[root at server] ~ # net ads join -w MASTERMIND -U Administrator%passwordhere
[2006/01/31 07:54:50, 0] libads/ldap.c:ads_add_machine_acct(1368)
  ads_add_machine_acct: Host account for server already exists - modifying
old account
Using short domain name -- MASTERMIND
Joined 'SERVER' to realm 'DEADMIND.LOCAL'
[root at server] ~ #

I then run winbindd and nmbd, and I can lookup users using wbinfo -u etc.
Once that is working and I unplug the one im connected to (which I don't
want to have to guess which one it is), I then cant lookup users and it
doesn't switch to the other server.

Am I doing something wrong?

Thanks,
Ian

More information about the samba mailing list