[Samba] Winbind ADS feature request

Diego Rivera diego at rivera.net
Fri Jun 9 19:55:14 GMT 2006

Hello all!

I've been successful at adding ADS authentication to my Samba servers on 
all fronts, and also get kerberos authentication working.  I've managed 
to overcome some limitations (like, for instance, automatic password 
changes on password expiration), but am facing one last hurdle before I 
can honestly say that my system is well prepared for (almost) all scenarios.

When the primary ADS goes down (we're taking it offline to do testing 
when possible), Winbind refuses to go out and look for a backup.  We 
either have to manually bounce the service (it will find the backup 
appropriately), or use "wbinfo -u".  So, here's the feature request:  
would it be possible for Winbind to implement some sort of "current DC" 
heartbeat mechanism, such that when that heartbeat fails (or after X 
heartbeats, whatever...), it automatically goes and looks for an 
alternate DC?

I realize that this can probably be achieved using "winbind cache time", 
however setting this too low would probably result in a lot of 
unnecessary network traffic.  Also, a "daemonized", manually implemented 
heartbeat could also do the job.  However, this is a feature that would 
probably best be included as a standard part of winbind.

I think a good way to do the heartbeat is to open an LDAP link for the 
"current" ADS, and either checking credentials (or some other "no-op" 
operation) or closing the link.  I realize TCP timeouts are probably at 
play here as well, so this is by no means a perfect solution.

However, I have no doubt there are smarter people than I reading this 
message, so I leave this in your already proven capable hands :)

Thanks for a great product!


More information about the samba mailing list