[Samba] Winbind is "sticky" on one DC
Allen Chen
achen at harbourfrontcentre.com
Thu Oct 2 09:42:22 MDT 2014
On 10/1/2014 10:05 AM, Jonathan Gazeley wrote:
> On 01/10/14 11:56, Jonathan Gazeley wrote:
>> Hi chaps,
>>
>> I've been using Winbind for several years to authenticate 802.1x
>> wireless users against Active Directory via FreeRADIUS. The solution
>> we've been using until now has been adequate but I've noticed some
>> problematic behaviour. We're running all stock packages from CentOS 6
>> repos. Current version of winbind is 3.6.9. Unfortunately the Windows
>> DCs are managed by a different team and we don't have access to their
>> settings or logs.
>>
>> We locate domain controllers using a DNS round-robin on
>> ads.bris.ac.uk which returns about 10 DCs. I've noticed that quite
>> often, our three RADIUS servers all latch onto the same DC and cause
>> loading problems.
>>
>> In my smb.conf I've set "password server" to the DNS name of
>> individual DCs but this parameter seems to be ignored. Even after
>> restarting winbind or rebooting, the system always goes back to the
>> same DC.
>>
>> I've also tried explicitly setting the names of individual DCs in
>> krb5.conf and this does not help the situation.
>>
>> Can someone with winbind experience please explain what is going on,
>> and how I can force my RADIUS servers to latch onto specific DCs for
>> their authentications, so I can ensure that they don't all pile onto
>> the same DC and overload it.
>>
>> Thanks,
>> Jonathan
>
> Bit of information from further testing - I was able to make winbind
> stop using the first DC by temporarily adding an iptables rule that
> dropped all outbound traffic to the first DC. Then, when restarting
> winbind, it picked a different DC. Surely there's a better way than this?
>
> Thanks,
> Jonathan
HI Jonathan,
What is the DNS setting on your Radius server?
I guess it points to your company's DNS server, then forward to your DCs?
Allen
More information about the samba
mailing list