[Samba] how to manually specify domain controllers

Dennis Xu dxu at uoguelph.ca
Tue Apr 12 14:07:18 UTC 2016 

Hi Jonathan, 

I can understand the load sharing will not be an issue in your setup. And my situation is exactly as what you have described. 

My Samba configuration is like below: 

workgroup = CFS 
server string = Samba Server Version %v 

security = ads 
password server = * 
realm = cfs.uoguelph.ca 

dedicated keytab file = /etc/krb5.keytab 
kerberos method = secrets and keytab 
winbind refresh tickets = yes 

winbind trusted domains only = no 
winbind use default domain = yes 
winbind enum users = yes 
winbind enum groups = yes 

idmap config ad 



Dennis 

----- Original Message -----

From: "Jonathan Hunter" <jmhunter1 at gmail.com> 
To: "samba" <samba at lists.samba.org> 
Sent: Monday, April 11, 2016 4:37:19 PM 
Subject: Re: [Samba] how to manually specify domain controllers 

On 11 April 2016 at 15:28, Rowland penny <rpenny at samba.org> wrote: 

> On 08/04/16 21:19, Dennis Xu wrote: 
> 
>> We have two Samba 4.2.3 servers with FreeRadius to authenticate wireless 
>> users against active directory. Using DNS, sometimes both servers end up 
>> using the same domain controller to authenticate users. I would like to 
>> distribute the load to different DCs. Is there a way to manually point 
>> Samba to certain DCs? 
>> 
> I don't think you can do this, a quick google found this: 
> 
> 
> http://www.windowsnetworking.com/kbase/WindowsTips/Windows7/AdminTips/ActiveDirectory/Hardcodingthelogondomaincontroller.html 
> 
> I think that refers more to a Windows client (or indeed one such as sssd 
that behaves in the same manner), it doesn't mean that if your client can 
be given a hardcoded DNS name it wouldn't work, as such. 

My personal setup is to have freeradius running on each of my domain 
controllers. My RADIUS clients (network switches, access points etc.) all 
point at multiple domain controllers, allowing the clients to fail over if 
a RADIUS server doesn't respond. 

My /etc/freeradius/modules/mschap file contains: 

ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key 
--username=%{%{mschap:User-Name}:-%{%{User-Name}:-None}} 
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN} 
--challenge=%{%{mschap:Challenge}:-00} 
--nt-response=%{%{mschap:NT-Response}:-00}" 

The theory of operation being, if a domain controller fails completely then 
the client will not get a response from freeradius, and it will query the 
next domain controller in turn. This does work. 

I suppose, if freeradius is running on the DC but samba isn't, and 
ntlm_auth picks the local server for AD authentication and fails, then the 
authentication attempt would fail. That hasn't happened to me yet, but I'm 
not clear how ntlm_auth picks a DC to authenticate against.. I was kind of 
assuming it would use 'localhost' but I'm not sure now. 

Dennis - I'm still not totally clear as to your scenario, do you have 
something like this: 
Samba server S1, S2 
Windows AD server W1, W2 
RADIUS client devices C1, C2 

with C1, C2 configured to use S1, S2 as RADIUS servers, and freeradius on 
S1, S2 configured to authenticate against W1, W2 (how?) ? 

Cheers 

Jonathan 


-- 
"If we knew what it was we were doing, it would not be called research, 
would it?" 
- Albert Einstein 
-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list