[Samba] question on password server =

mj lists at merit.unu.edu
Thu Jun 15 09:51:18 UTC 2017 

Hi Rowland,

On 06/15/2017 11:05 AM, Rowland Penny via samba wrote:
> OK, whilst it is recomended to use 'password server = *' you can use a
> list of servers instead. I personally do not see the point of setting
> it as you are proposing, surely it is just the same as using '*' ?
I know. I am asking because we are using a product called packetfence 
that generates an smb.conf automatically, based on configuration 
provided in their web admin interface.

The config that packetfence generates includes the line
 > password server = samba4.domain.com

I asked them why that is, and if it's perhaps better to remove it, so 
their config will default to "password server = *"
(as I have on our servers)

Then they sent me an explanation why they feel it should be there.

That's when I decided to ask here about the exact way the "password 
server =" line works. (specifically in the case of some DCs being down)

I see now how I messed up sanitation... I will post again below, and 
DOUBLE check:

samba4.company.com is de AD DNS name, REALM.

>> root at pf:~# host -t A samba4.company.com
>> samba4.company.com has address 192.168.0.1
>> samba4.company.com has address 192.168.0.2
>> samba4.company.com has address 192.168.0.3
>> root at pf~# host -t A  samba4.company.com
>> samba4.company.com has address 192.168.0.2
>> samba4.company.com has address 192.168.0.3
>> samba4.company.com has address 192.168.0.1
That's my output, also showing the round robin dns in action. Your 
suggestion listed specific DCs. That's NOT what I get.

Our DCs are like:
 >> root at pf~# host -t A  d2.samba4.company.com
 >> dc2.samba4.company.com has address 192.168.0.2
and likewise for DC3 and DC1. Everything is working fine.

> Also, I hope that the domain name 'samba4.domain.com' doesn't map to 'merit.uni.edu'
No it doesn't :-) Sanitation gone wrong sorry. Please forget I ever 
mentioned our external dns domain. :-)

> If my reading of this is wrong, then please explain yourself better.
I hope I did now...

> If you really do want Samba to use a specific DC before all others, I
> would do something like this:
No, what I would like, is for the packetfence samba configuration to be 
as robust as possible, because it will be doing 802.1x authentication 
for our wired windows workstations. (and we don't want that to fail...)

I am trying to understand how things would function with *their* 
smb.conf (containing "password server = samba4.company.com") while one 
or two of our three DCs are offline.

And perhaps I should also simply tell them that you (as being "the samba 
team") would also recommend (like I did before) to remove the line 
altogether?

Problem is that while I can manually remove the line from their 
smb.conf, it will be regenerated on every config change. :-(

Hope things are clearer now..? Thanks for taking the time to reply!

MJ

More information about the samba mailing list