[Samba] question on password server =

L.P.H. van Belle belle at bazuin.nl
Thu Jun 15 10:04:54 UTC 2017 

Read below..  ;-) 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba
> Verzonden: donderdag 15 juni 2017 11:51
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] question on password server =
> 
> Hi Rowland,
> 
> On 06/15/2017 11:05 AM, Rowland Penny via samba wrote:
> > OK, whilst it is recomended to use 'password server = *' 
> you can use a
> > list of servers instead. I personally do not see the point 
> of setting
> > it as you are proposing, surely it is just the same as using '*' ?
> I know. I am asking because we are using a product called packetfence 
> that generates an smb.conf automatically, based on configuration 
> provided in their web admin interface.
> 
> The config that packetfence generates includes the line
>  > password server = samba4.domain.com
> 
> I asked them why that is, and if it's perhaps better to remove it, so 
> their config will default to "password server = *"
> (as I have on our servers)
> 
> Then they sent me an explanation why they feel it should be there.
> 
> That's when I decided to ask here about the exact way the "password 
> server =" line works. (specifically in the case of some DCs 
> being down)
> 
> I see now how I messed up sanitation... I will post again below, and 
> DOUBLE check:
> 
> samba4.company.com is de AD DNS name, REALM.
> 
> >> root at pf:~# host -t A samba4.company.com
> >> samba4.company.com has address 192.168.0.1
> >> samba4.company.com has address 192.168.0.2
> >> samba4.company.com has address 192.168.0.3
> >> root at pf~# host -t A  samba4.company.com
> >> samba4.company.com has address 192.168.0.2
> >> samba4.company.com has address 192.168.0.3
> >> samba4.company.com has address 192.168.0.1
> That's my output, also showing the round robin dns in action. Your 
> suggestion listed specific DCs. That's NOT what I get.

Your output is 100% correct.. No worries..  ;-) 
My test same, i just can find the technet article on this just now. 
host -t A internal.domain.tld
internal.domain.tld has address 192.168.0.2
internal.domain.tld has address 192.168.0.1
(These to can change in order. )

Imo. The suggestion of packetfence.. 
Its not wrong to use : password server = internal.domain.tld
But it is not the same as   : password server = *

What we need here is, how does this exact work. ( from the password server setting/function/code etc.. ) 

What i think, 
In case of password server = internal.domain.tld
PF resolves internal.domain.tld, and comes back with one of the 2 domain controllers in this example. 
And to my believe but this is more a developer question, so Rowland pay attention..  ;-) 
If the resolving is done by the "password server" setting, does it check if the server is online. 

In case of the setting : password server = *
To my believe a check is done if the server is online. 

But i just cant read this in the code, for me much to complex..  

And thats the question.. 


Greetz, 

Louis




> 
> Our DCs are like:
>  >> root at pf~# host -t A  d2.samba4.company.com
>  >> dc2.samba4.company.com has address 192.168.0.2
> and likewise for DC3 and DC1. Everything is working fine.
> 
> > Also, I hope that the domain name 'samba4.domain.com' 
> doesn't map to 'merit.uni.edu'
> No it doesn't :-) Sanitation gone wrong sorry. Please forget I ever 
> mentioned our external dns domain. :-)
> 
> > If my reading of this is wrong, then please explain yourself better.
> I hope I did now...
> 
> > If you really do want Samba to use a specific DC before all 
> others, I
> > would do something like this:
> No, what I would like, is for the packetfence samba 
> configuration to be 
> as robust as possible, because it will be doing 802.1x authentication 
> for our wired windows workstations. (and we don't want that 
> to fail...)
> 
> I am trying to understand how things would function with *their* 
> smb.conf (containing "password server = samba4.company.com") 
> while one 
> or two of our three DCs are offline.
> 
> And perhaps I should also simply tell them that you (as being 
> "the samba 
> team") would also recommend (like I did before) to remove the line 
> altogether?
> 
> Problem is that while I can manually remove the line from their 
> smb.conf, it will be regenerated on every config change. :-(
> 
> Hope things are clearer now..? Thanks for taking the time to reply!
> 
> MJ
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list