[Samba] Winbind is "sticky" on one DC
Jonathan Gazeley
Jonathan.Gazeley at bristol.ac.uk
Thu Oct 2 12:54:39 MDT 2014
On 02/10/14 16:42, Allen Chen wrote:
> On 10/1/2014 10:05 AM, Jonathan Gazeley wrote:
>> On 01/10/14 11:56, Jonathan Gazeley wrote:
>>> Hi chaps,
>>>
>>> I've been using Winbind for several years to authenticate 802.1x
>>> wireless users against Active Directory via FreeRADIUS. The solution
>>> we've been using until now has been adequate but I've noticed some
>>> problematic behaviour. We're running all stock packages from CentOS
>>> 6 repos. Current version of winbind is 3.6.9. Unfortunately the
>>> Windows DCs are managed by a different team and we don't have access
>>> to their settings or logs.
>>>
>>> We locate domain controllers using a DNS round-robin on
>>> ads.bris.ac.uk which returns about 10 DCs. I've noticed that quite
>>> often, our three RADIUS servers all latch onto the same DC and cause
>>> loading problems.
>>>
>>> In my smb.conf I've set "password server" to the DNS name of
>>> individual DCs but this parameter seems to be ignored. Even after
>>> restarting winbind or rebooting, the system always goes back to the
>>> same DC.
>>>
>>> I've also tried explicitly setting the names of individual DCs in
>>> krb5.conf and this does not help the situation.
>>>
>>> Can someone with winbind experience please explain what is going on,
>>> and how I can force my RADIUS servers to latch onto specific DCs for
>>> their authentications, so I can ensure that they don't all pile onto
>>> the same DC and overload it.
>>>
>>> Thanks,
>>> Jonathan
>>
>> Bit of information from further testing - I was able to make winbind
>> stop using the first DC by temporarily adding an iptables rule that
>> dropped all outbound traffic to the first DC. Then, when restarting
>> winbind, it picked a different DC. Surely there's a better way than
>> this?
>>
>> Thanks,
>> Jonathan
> HI Jonathan,
>
> What is the DNS setting on your Radius server?
> I guess it points to your company's DNS server, then forward to your DCs?
>
> Allen
>
Yes, exactly. The Radius server uses the main DNS server to look up the
fully qualified domain name of the DCs. The name of the
ads.bristol.ac.uk returns round-robin records for all the 10 DCs, but I
have also set password server to be the DNS name of one individual DC.
More information about the samba
mailing list