[Samba] question on password server =

Rowland Penny rpenny at samba.org
Thu Jun 15 10:46:37 UTC 2017 

On Thu, 15 Jun 2017 11:51:18 +0200
mj via samba <samba at lists.samba.org> wrote:

> Hi Rowland,
> 
> On 06/15/2017 11:05 AM, Rowland Penny via samba wrote:
> > OK, whilst it is recomended to use 'password server = *' you can
> > use a list of servers instead. I personally do not see the point of
> > setting it as you are proposing, surely it is just the same as
> > using '*' ?
> I know. I am asking because we are using a product called packetfence 
> that generates an smb.conf automatically, based on configuration 
> provided in their web admin interface.

I will take a look at packetfence.

OK, done a quick scan and found this in their Administration Guide:

When done with the Samba install, modify your /etc/hosts in order to
add the FQDN of your Active Directory servers. 

ER, why ?

Active directory relies on DNS, so you should never have to do that, if
DNS isn't working, AD isn't either.
 
> 
> The config that packetfence generates includes the line
>  > password server = samba4.domain.com
> 
> I asked them why that is, and if it's perhaps better to remove it, so 
> their config will default to "password server = *"
> (as I have on our servers)
> 
> Then they sent me an explanation why they feel it should be there.

Could you share this, offlist if needs be.

> 
> That's when I decided to ask here about the exact way the "password 
> server =" line works. (specifically in the case of some DCs being
> down)
> 
> I see now how I messed up sanitation... I will post again below, and 
> DOUBLE check:
> 
> samba4.company.com is de AD DNS name, REALM.
> 
> >> root at pf:~# host -t A samba4.company.com
> >> samba4.company.com has address 192.168.0.1
> >> samba4.company.com has address 192.168.0.2
> >> samba4.company.com has address 192.168.0.3
> >> root at pf~# host -t A  samba4.company.com
> >> samba4.company.com has address 192.168.0.2
> >> samba4.company.com has address 192.168.0.3
> >> samba4.company.com has address 192.168.0.1
> That's my output, also showing the round robin dns in action. Your 
> suggestion listed specific DCs. That's NOT what I get.

I can understand that now, it was the mis-match of domain names that
was confusing me.

> 
> Our DCs are like:
>  >> root at pf~# host -t A  d2.samba4.company.com
>  >> dc2.samba4.company.com has address 192.168.0.2
> and likewise for DC3 and DC1. Everything is working fine.
> 
> > Also, I hope that the domain name 'samba4.domain.com' doesn't map
> > to 'merit.uni.edu'
> No it doesn't :-) Sanitation gone wrong sorry. Please forget I ever 
> mentioned our external dns domain. :-)

What external domain ? ;-)

> No, what I would like, is for the packetfence samba configuration to
> be as robust as possible, because it will be doing 802.1x
> authentication for our wired windows workstations. (and we don't want
> that to fail...)
> 
> I am trying to understand how things would function with *their* 
> smb.conf (containing "password server = samba4.company.com") while
> one or two of our three DCs are offline.
> 
> And perhaps I should also simply tell them that you (as being "the
> samba team") would also recommend (like I did before) to remove the
> line altogether?
> 
> Problem is that while I can manually remove the line from their 
> smb.conf, it will be regenerated on every config change. :-(
> 
> Hope things are clearer now..? Thanks for taking the time to reply!
> 
> MJ
> 

Ah, so it is not a case of wanting to use a specific DC, but to ensure
you can find a DC.

Samba recommends that you use '*' (or to put it another way, don't add
the line). The Samba code will dynamically find the best DC to use,
packetfence may be interfering with this by adding the line in the way
it does. 

As packetfence adds the line, it is probably doing it from a template
somewhere, so if you can find this template, you should be able to
remove this line, if you should so wish.

Rowland

More information about the samba mailing list