[Samba] How does Samba find a domain controller?

Gautier, B (Bob) Bob.Gautier at rabobank.com
Fri May 5 13:47:30 GMT 2006


> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry at samba.org] 
> Sent: 05 May 2006 14:35
> To: Gautier, B (Bob)
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] How does Samba find a domain controller?
> Hash: SHA1
> Gautier, B (Bob) wrote:
> >> The recommendation in the smb.conf manpage is 'name 
> resolve order = 
> >> wins bcast' when you are in security=ads mode, with a 
> remark that in 
> >> that case ADS-style DNS lookups are done anyway, first.  Is my 
> >> reading right?
> If the man page says that, it's wrong.  DNS lookups are only 
> performed if you have host in the 'name resolve order'
> list.  I can double check, but I'm pretty sure this is how we 
> coded it up.
> > Samba 3.0.23 will query the correct
> > _ldap._tcp.dc._msdcs.<domain> name and includes affinity 
> for a server 
> > once connected so that for example winbindd will reconnect to the 
> > server used during the domain join to avoid lags in 
> replication delays 
> > between DCs.
> > 
> >> Is that in pre1, or still to come?
> The server affinity patches are in 3.0.23pre1.  The new DNS 
> lookup routines are still in development.
> >> So as I understand it there is no plan to do any 'nearest DC' 
> >> guessing (which is what Windows appears to do, based on IP address 
> >> comparisons) but we can influence choice of DC by what we 
> put in the 
> >> DNS in the first place, and by firewalling to prevent access to 
> >> inappropriate (e.g. offsite) DCs?
> You mean the Site name stuff ?  I'm working on integrating 
> the CLDAP queries but I haven't looked at the Site stuff much.
> We used to pick DC's based on network address and that was horrible.

I might mean Site name stuff -- my understanding of exactly how Windows
does it is hazy.  I've got enough detail for my purposes now, and
knowing that Samba once *did* do address-based choice, has stopped, and
presumably won't ever do it again is useful.

> Note that for you own domain you can specify 'password server 
> = foo.dom.ain *' to give preference to a specific DC.  This 
> doesn't work for trusted domains though.

Another useful trick!

Thanks again,

Bob G

> cheers, jerry
> =====================================================================
> Samba                                    ------- http://www.samba.org
> Centeris                         -----------  http://www.centeris.com
> "What man is a man who does not make the world better?"      --Balian
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
> iD8DBQFEW1R7IR7qMdg1EfYRAu1/AJ9yviYUXyTJfec9AqD0y9AwiRgQlwCgjXFE
> j1uOsqTvunWvn+rHsKzxLfA=
> =LDK3

This email (including any attachments to it) is confidential, legally privileged, subject to copyright and is sent for the personal attention of the intended recipient only. If you have received this email in error, please advise us immediately and delete it. You are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. Although we have taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the viruses in this email or attachments. We exclude any liability for the content of this email, or for the consequences of any actions taken on the basis of the information provided in this email or its attachments, unless that information is subsequently confirmed in writing. If this email contains an offer, that should be considered as an invitation to treat.

More information about the samba mailing list