[Samba] Winbind is "sticky" on one DC

Jonathan Gazeley Jonathan.Gazeley at bristol.ac.uk
Fri Oct 3 03:07:36 MDT 2014 

On 02/10/14 22:08, steve wrote:
> On 02/10/14 20:54, Jonathan Gazeley wrote:
>> On 02/10/14 16:42, Allen Chen wrote:
>>> On 10/1/2014 10:05 AM, Jonathan Gazeley wrote:
>>>> On 01/10/14 11:56, Jonathan Gazeley wrote:
>>>>> Hi chaps,
>>>>>
>>>>> I've been using Winbind for several years to authenticate 802.1x
>>>>> wireless users against Active Directory via FreeRADIUS. The solution
>>>>> we've been using until now has been adequate but I've noticed some
>>>>> problematic behaviour. We're running all stock packages from CentOS
>>>>> 6 repos. Current version of winbind is 3.6.9. Unfortunately the
>>>>> Windows DCs are managed by a different team and we don't have access
>>>>> to their settings or logs.
>>>>>
>>>>> We locate domain controllers using a DNS round-robin on
>>>>> ads.bris.ac.uk which returns about 10 DCs. I've noticed that quite
>>>>> often, our three RADIUS servers all latch onto the same DC and cause
>>>>> loading problems.
>>>>>
>>>>> In my smb.conf I've set "password server" to the DNS name of
>>>>> individual DCs but this parameter seems to be ignored. Even after
>>>>> restarting winbind or rebooting, the system always goes back to the
>>>>> same DC.
>>>>>
>>>>> I've also tried explicitly setting the names of individual DCs in
>>>>> krb5.conf and this does not help the situation.
>>>>>
>>>>> Can someone with winbind experience please explain what is going on,
>>>>> and how I can force my RADIUS servers to latch onto specific DCs for
>>>>> their authentications, so I can ensure that they don't all pile onto
>>>>> the same DC and overload it.
>>>>>
>>>>> Thanks,
>>>>> Jonathan
>>>>
>>>> Bit of information from further testing - I was able to make winbind
>>>> stop using the first DC by temporarily adding an iptables rule that
>>>> dropped all outbound traffic to the first DC. Then, when restarting
>>>> winbind, it picked a different DC. Surely there's a better way than
>>>> this?
>>>>
>>>> Thanks,
>>>> Jonathan
>>> HI Jonathan,
>>>
>>> What is the DNS setting on your Radius server?
>>> I guess it points to your company's DNS server, then forward to your 
>>> DCs?
>>>
>>> Allen
>>>
>>
>> Yes, exactly. The Radius server uses the main DNS server to look up the
>> fully qualified domain name of the DCs. The name of the
>> ads.bristol.ac.uk returns round-robin records for all the 10 DCs, but I
>> have also set password server to be the DNS name of one individual DC.
>>
> What are the DCs called? Guessing, e.g. dc1.ads.bristol.ac.uk, 
> dc2.ads.bristol.ac.uk... You need to get to the AD side for the round 
> robin to work. Difficult without smb.conf and a bit more info...
> Cheers,
>

OK, here goes.

ads.bris.ac.uk returns all the IP addresses of the DCs:

[jg4461 at radius03 ~]$ nslookup ads.bris.ac.uk
Server:        127.0.0.1
Address:    127.0.0.1#53

Non-authoritative answer:
Name:    ads.bris.ac.uk
Address: 137.222.10.68
Name:    ads.bris.ac.uk
Address: 137.222.7.88
Name:    ads.bris.ac.uk
Address: 137.222.7.77
Name:    ads.bris.ac.uk
Address: 137.222.158.158
Name:    ads.bris.ac.uk
Address: 137.222.156.227
Name:    ads.bris.ac.uk
Address: 137.222.154.11
Name:    ads.bris.ac.uk
Address: 137.222.62.26

The DCs themselves are all in different subdomains of bris.ac.uk, not 
ads.bris.ac.uk. e.g. one is called uob-dc10.bris.ac.uk

My smb.conf is quite short (no file shares, mostly just AD 
configuration). Here are the relevant params:

         workgroup = UOB
         server string = radius03.nomadic-core.bris.ac.uk
         netbios name = rn-de89a707
         security = ads
         realm = ads.bris.ac.uk
         password server = cse-lox.cse.bris.ac.uk
         winbind use default domain = no
         winbind nested groups = Yes
         winbind enum users = No
         winbind enum groups = No
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         dns proxy = yes
         name resolve order = host lmhost
         winbind max domain connections = 5
         winbind max clients = 300

After restarting winbind, it continues to use uob-dc10.bris.ac.uk (as 
returned from the dns lookup of ads.bris.ac.uk) despite the fact that 
password server is telling it to use a different DC.

I've used tcpdump to watch what DNS lookups the system is doing when 
winbind is restarted, and apparently it is not performing a DNS lookup 
at all. It only starts to use cse-lox in preference to uob-dc10 when I 
set an outbound firewall rule on the Radius server to reject all 
outbound traffic to uob-dc10.

I hope this gives a bit more info about our setup.

Thanks,
Jonathan

More information about the samba mailing list