[Samba] Winbind is "sticky" on one DC

steve steve at steve-ss.com
Thu Oct 2 15:08:51 MDT 2014

On 02/10/14 20:54, Jonathan Gazeley wrote:
> On 02/10/14 16:42, Allen Chen wrote:
>> On 10/1/2014 10:05 AM, Jonathan Gazeley wrote:
>>> On 01/10/14 11:56, Jonathan Gazeley wrote:
>>>> Hi chaps,
>>>> I've been using Winbind for several years to authenticate 802.1x
>>>> wireless users against Active Directory via FreeRADIUS. The solution
>>>> we've been using until now has been adequate but I've noticed some
>>>> problematic behaviour. We're running all stock packages from CentOS
>>>> 6 repos. Current version of winbind is 3.6.9. Unfortunately the
>>>> Windows DCs are managed by a different team and we don't have access
>>>> to their settings or logs.
>>>> We locate domain controllers using a DNS round-robin on
>>>> ads.bris.ac.uk which returns about 10 DCs. I've noticed that quite
>>>> often, our three RADIUS servers all latch onto the same DC and cause
>>>> loading problems.
>>>> In my smb.conf I've set "password server" to the DNS name of
>>>> individual DCs but this parameter seems to be ignored. Even after
>>>> restarting winbind or rebooting, the system always goes back to the
>>>> same DC.
>>>> I've also tried explicitly setting the names of individual DCs in
>>>> krb5.conf and this does not help the situation.
>>>> Can someone with winbind experience please explain what is going on,
>>>> and how I can force my RADIUS servers to latch onto specific DCs for
>>>> their authentications, so I can ensure that they don't all pile onto
>>>> the same DC and overload it.
>>>> Thanks,
>>>> Jonathan
>>> Bit of information from further testing - I was able to make winbind
>>> stop using the first DC by temporarily adding an iptables rule that
>>> dropped all outbound traffic to the first DC. Then, when restarting
>>> winbind, it picked a different DC. Surely there's a better way than
>>> this?
>>> Thanks,
>>> Jonathan
>> HI Jonathan,
>> What is the DNS setting on your Radius server?
>> I guess it points to your company's DNS server, then forward to your DCs?
>> Allen
> Yes, exactly. The Radius server uses the main DNS server to look up the
> fully qualified domain name of the DCs. The name of the
> ads.bristol.ac.uk returns round-robin records for all the 10 DCs, but I
> have also set password server to be the DNS name of one individual DC.
What are the DCs called? Guessing, e.g. dc1.ads.bristol.ac.uk, 
dc2.ads.bristol.ac.uk... You need to get to the AD side for the round 
robin to work. Difficult without smb.conf and a bit more info...

More information about the samba mailing list