[Samba] Winbind is "sticky" on one DC

Allen Chen achen at harbourfrontcentre.com
Thu Oct 2 09:42:22 MDT 2014


On 10/1/2014 10:05 AM, Jonathan Gazeley wrote:
> On 01/10/14 11:56, Jonathan Gazeley wrote:
>> Hi chaps,
>>
>> I've been using Winbind for several years to authenticate 802.1x 
>> wireless users against Active Directory via FreeRADIUS. The solution 
>> we've been using until now has been adequate but I've noticed some 
>> problematic behaviour. We're running all stock packages from CentOS 6 
>> repos. Current version of winbind is 3.6.9. Unfortunately the Windows 
>> DCs are managed by a different team and we don't have access to their 
>> settings or logs.
>>
>> We locate domain controllers using a DNS round-robin on 
>> ads.bris.ac.uk which returns about 10 DCs. I've noticed that quite 
>> often, our three RADIUS servers all latch onto the same DC and cause 
>> loading problems.
>>
>> In my smb.conf I've set "password server" to the DNS name of 
>> individual DCs but this parameter seems to be ignored. Even after 
>> restarting winbind or rebooting, the system always goes back to the 
>> same DC.
>>
>> I've also tried explicitly setting the names of individual DCs in 
>> krb5.conf and this does not help the situation.
>>
>> Can someone with winbind experience please explain what is going on, 
>> and how I can force my RADIUS servers to latch onto specific DCs for 
>> their authentications, so I can ensure that they don't all pile onto 
>> the same DC and overload it.
>>
>> Thanks,
>> Jonathan
>
> Bit of information from further testing - I was able to make winbind 
> stop using the first DC by temporarily adding an iptables rule that 
> dropped all outbound traffic to the first DC. Then, when restarting 
> winbind, it picked a different DC. Surely there's a better way than this?
>
> Thanks,
> Jonathan
HI Jonathan,

What is the DNS setting on your Radius server?
I guess it points to your company's DNS server, then forward to your DCs?

Allen
 


More information about the samba mailing list