[Samba] Winbind is "sticky" on one DC

Jonathan Gazeley Jonathan.Gazeley at bristol.ac.uk
Thu Oct 2 12:54:39 MDT 2014

On 02/10/14 16:42, Allen Chen wrote:
> On 10/1/2014 10:05 AM, Jonathan Gazeley wrote:
>> On 01/10/14 11:56, Jonathan Gazeley wrote:
>>> Hi chaps,
>>> I've been using Winbind for several years to authenticate 802.1x 
>>> wireless users against Active Directory via FreeRADIUS. The solution 
>>> we've been using until now has been adequate but I've noticed some 
>>> problematic behaviour. We're running all stock packages from CentOS 
>>> 6 repos. Current version of winbind is 3.6.9. Unfortunately the 
>>> Windows DCs are managed by a different team and we don't have access 
>>> to their settings or logs.
>>> We locate domain controllers using a DNS round-robin on 
>>> ads.bris.ac.uk which returns about 10 DCs. I've noticed that quite 
>>> often, our three RADIUS servers all latch onto the same DC and cause 
>>> loading problems.
>>> In my smb.conf I've set "password server" to the DNS name of 
>>> individual DCs but this parameter seems to be ignored. Even after 
>>> restarting winbind or rebooting, the system always goes back to the 
>>> same DC.
>>> I've also tried explicitly setting the names of individual DCs in 
>>> krb5.conf and this does not help the situation.
>>> Can someone with winbind experience please explain what is going on, 
>>> and how I can force my RADIUS servers to latch onto specific DCs for 
>>> their authentications, so I can ensure that they don't all pile onto 
>>> the same DC and overload it.
>>> Thanks,
>>> Jonathan
>> Bit of information from further testing - I was able to make winbind 
>> stop using the first DC by temporarily adding an iptables rule that 
>> dropped all outbound traffic to the first DC. Then, when restarting 
>> winbind, it picked a different DC. Surely there's a better way than 
>> this?
>> Thanks,
>> Jonathan
> HI Jonathan,
> What is the DNS setting on your Radius server?
> I guess it points to your company's DNS server, then forward to your DCs?
> Allen

Yes, exactly. The Radius server uses the main DNS server to look up the 
fully qualified domain name of the DCs. The name of the 
ads.bristol.ac.uk returns round-robin records for all the 10 DCs, but I 
have also set password server to be the DNS name of one individual DC.

More information about the samba mailing list