[Samba] Winbind is "sticky" on one DC
steve
steve at steve-ss.com
Thu Oct 2 15:08:51 MDT 2014
On 02/10/14 20:54, Jonathan Gazeley wrote:
> On 02/10/14 16:42, Allen Chen wrote:
>> On 10/1/2014 10:05 AM, Jonathan Gazeley wrote:
>>> On 01/10/14 11:56, Jonathan Gazeley wrote:
>>>> Hi chaps,
>>>>
>>>> I've been using Winbind for several years to authenticate 802.1x
>>>> wireless users against Active Directory via FreeRADIUS. The solution
>>>> we've been using until now has been adequate but I've noticed some
>>>> problematic behaviour. We're running all stock packages from CentOS
>>>> 6 repos. Current version of winbind is 3.6.9. Unfortunately the
>>>> Windows DCs are managed by a different team and we don't have access
>>>> to their settings or logs.
>>>>
>>>> We locate domain controllers using a DNS round-robin on
>>>> ads.bris.ac.uk which returns about 10 DCs. I've noticed that quite
>>>> often, our three RADIUS servers all latch onto the same DC and cause
>>>> loading problems.
>>>>
>>>> In my smb.conf I've set "password server" to the DNS name of
>>>> individual DCs but this parameter seems to be ignored. Even after
>>>> restarting winbind or rebooting, the system always goes back to the
>>>> same DC.
>>>>
>>>> I've also tried explicitly setting the names of individual DCs in
>>>> krb5.conf and this does not help the situation.
>>>>
>>>> Can someone with winbind experience please explain what is going on,
>>>> and how I can force my RADIUS servers to latch onto specific DCs for
>>>> their authentications, so I can ensure that they don't all pile onto
>>>> the same DC and overload it.
>>>>
>>>> Thanks,
>>>> Jonathan
>>>
>>> Bit of information from further testing - I was able to make winbind
>>> stop using the first DC by temporarily adding an iptables rule that
>>> dropped all outbound traffic to the first DC. Then, when restarting
>>> winbind, it picked a different DC. Surely there's a better way than
>>> this?
>>>
>>> Thanks,
>>> Jonathan
>> HI Jonathan,
>>
>> What is the DNS setting on your Radius server?
>> I guess it points to your company's DNS server, then forward to your DCs?
>>
>> Allen
>>
>
> Yes, exactly. The Radius server uses the main DNS server to look up the
> fully qualified domain name of the DCs. The name of the
> ads.bristol.ac.uk returns round-robin records for all the 10 DCs, but I
> have also set password server to be the DNS name of one individual DC.
>
What are the DCs called? Guessing, e.g. dc1.ads.bristol.ac.uk,
dc2.ads.bristol.ac.uk... You need to get to the AD side for the round
robin to work. Difficult without smb.conf and a bit more info...
Cheers,
More information about the samba
mailing list