[Samba] Winbind is "sticky" on one DC

Allen Chen achen at harbourfrontcentre.com
Thu Oct 2 14:18:05 MDT 2014 

On 10/2/2014 2:54 PM, Jonathan Gazeley wrote:
> On 02/10/14 16:42, Allen Chen wrote:
>> On 10/1/2014 10:05 AM, Jonathan Gazeley wrote:
>>> On 01/10/14 11:56, Jonathan Gazeley wrote:
>>>> Hi chaps,
>>>>
>>>> I've been using Winbind for several years to authenticate 802.1x 
>>>> wireless users against Active Directory via FreeRADIUS. The 
>>>> solution we've been using until now has been adequate but I've 
>>>> noticed some problematic behaviour. We're running all stock 
>>>> packages from CentOS 6 repos. Current version of winbind is 3.6.9. 
>>>> Unfortunately the Windows DCs are managed by a different team and 
>>>> we don't have access to their settings or logs.
>>>>
>>>> We locate domain controllers using a DNS round-robin on 
>>>> ads.bris.ac.uk which returns about 10 DCs. I've noticed that quite 
>>>> often, our three RADIUS servers all latch onto the same DC and 
>>>> cause loading problems.
>>>>
>>>> In my smb.conf I've set "password server" to the DNS name of 
>>>> individual DCs but this parameter seems to be ignored. Even after 
>>>> restarting winbind or rebooting, the system always goes back to the 
>>>> same DC.
>>>>
>>>> I've also tried explicitly setting the names of individual DCs in 
>>>> krb5.conf and this does not help the situation.
>>>>
>>>> Can someone with winbind experience please explain what is going 
>>>> on, and how I can force my RADIUS servers to latch onto specific 
>>>> DCs for their authentications, so I can ensure that they don't all 
>>>> pile onto the same DC and overload it.
>>>>
>>>> Thanks,
>>>> Jonathan
>>>
>>> Bit of information from further testing - I was able to make winbind 
>>> stop using the first DC by temporarily adding an iptables rule that 
>>> dropped all outbound traffic to the first DC. Then, when restarting 
>>> winbind, it picked a different DC. Surely there's a better way than 
>>> this?
>>>
>>> Thanks,
>>> Jonathan
>> HI Jonathan,
>>
>> What is the DNS setting on your Radius server?
>> I guess it points to your company's DNS server, then forward to your 
>> DCs?
>>
>> Allen
>>
>
> Yes, exactly. The Radius server uses the main DNS server to look up 
> the fully qualified domain name of the DCs. The name of the 
> ads.bristol.ac.uk returns round-robin records for all the 10 DCs, but 
> I have also set password server to be the DNS name of one individual DC.
>
What is your windows domain name?
You have 10 DCs, then what is this name ads.bristol.ac.uk?
Can you post the smb.conf on the winbind server?

More information about the samba mailing list