[Samba] Resilience inquiry: What happens to samba clients if a domain controller fails?

Avron Gray agray at aeso.ca
Thu Feb 12 15:39:58 GMT 2009

Hello folks,

I have been asked about the resilience of samba clients when faced with
a domain controller failure. My client's environment has multiple
Windows Domain Controllers (we'll call them dc1 - dc9).

Assuming that domain replication operates as expected (and does, from
Windows workstation point of view), what should I expect if (when) the
domain controller that initiated a kerberos ticket or provided active
directory authentication fails? I have not been able to test this
properly, as my dev domain is too disimilar to my production domain...

Support Information:
- My UNIX environment is running kerberos 5.

- Kerberos5 configuration information:
   kdc.conf has my domain listed in realms
   krb5.conf has my domain listed in realms like this:
           DOMAINNAME.CA = {
                   kdc = dc1.domainname.ca
                   admin_server = dc1.domainname.ca
                   default_domain = DOMAINNAME.CA

- Samba 3.0.33 configuration information:
   security          = ads
   realm             = DOMAINNAME.CA
   workgroup         = DOMAINNAME
   encrypt passwords = yes
   server string     = %h Samba %v

   smb ports          = 445
   disable netbios    = yes
   name resolve order = hosts

- Hosts were joined to the domain using:
   net ADS join -U administrator
   administrator's password:
   Using short domain name -- DOMAINNAME
   Joined 'HOST' to realm 'DOMAINNAME.CA'

- DNS information
   root at oradbp1# nslookup domainname.ca
   Server:  dc2.domainname.ca

   Name:    domainname.ca
** IP addresses changed for ambiguity

- Avron

More information about the samba mailing list