[Samba] Several AD domain servers
howard at cohtech.com
Thu Oct 4 09:02:36 GMT 2007
Paulo Almeida wrote:
> It is possible to assing several AD domain servers on krb5.conf file?
> The questions is if one of AD servers goes down, it is useful if samba can
> get authentication through other AD server on domain.
> Sorry if this question already answered previsously.
> Domain Server: MS Windows 2003 SP2
> Linux Box: SLES 10 SP1 (kernel 2.6.16)
> Samba version: 3.0.24-2.28
> Kerberos version: 1.4.3-19.25
> Best regards,
> Paulo Almeida
set the entries in the [libdefaults] section like this.
default_realm = <FQDN of domain>
then add records to your DNS of the following form.
_kerberos.<zone> in txt <FQDN of domain>
The FQDN of the domain is the AD domain name e.g. domain.example.com.
The zone is the local zone for the workstation/server running linux e.g.
The kerberos lookups will then get a list of kdc's from the domain
servers (so long as they can find the zone data for the domain) by
looking up the srv records for the kdc (and falling back to the A record
lookup for the domain name). And will tie the local workstation to the
domain via the TXT record.
If you have multiple zones in which your workstations/servers are
installed you can also add the following to the domain_realm section of
the krb5.conf file
<zone> = <FQDN of domain>
.<zone> = <FQDN of domain>
for each zone in your network(s). Note you should always do this for at
least the zone that the local machine is within.
This will allow the machines to failover if the AD controller they try
to contact is down. Be warned however that there is a large window when
controllers are shutting down or starting up where they offer KDC
services (i.e. respond to messages) but do not provide those services.
This can result in logins timing out or being rejected because the KDC
has started but the AD LDAP environment is not fully up etc. So this
will cope with hard failures and machines being switched off but not
with machines currently failing,shutting down or starting up.
If you are using Samba as the authentication route via pam_winbind you
might also need to add the line
password server = <FQDN of domain>
into smb.conf to get this to work
Coherent Technology Limited
23 Northampton Square,
United Kingdom, EC1V 0HL
howard at cohtech.com
More information about the samba