[Samba] Samba - faster failover to other AD servers?

Peter Eriksson pen at lysator.liu.se
Wed Sep 2 09:30:45 UTC 2020 

We just had an interesting experience here. One of our AD servers was down for 90 minutes due to the server being physically moved to another location. This shouldn’t be a problem since there are 5 other AD servers in that “group” that can take over the load. However it seems Samba (when used as a fileserver) for some reason is taking quite a long time to “give up” on the first one and switch to one of the alternative ones.

Don’t know if it’s the Kerberos bits or if it’s the LDAP connection (or both) that is slow to “switch”. 

Am I the only one seeing this?

Is there something that can be done to speed that process up?

I guess I could force Samba to talk to a special virtual “AD” address  we have that is behind a load balancer (it’s mainly used for equipments that needs to talk to the AD servers but only can talk to one specific server) but I’ve tried to keep the configuration as normal as possible so...



We have a “samba-watchdog” script that regularily attempts to connect to the file service (using smbclient) and during this time period this script was triggered a number of times: If a connection attempt takes more than 15 seconds then it sleeps 5 seconds and tries again. If that one fails too then it kills winbindd and restarts it (which is pretty quick so most users doesn’t notice it).

The main reason for this script is to make smbd recover when new connections are “hung” when/if it hangs at the “10 hour lockup after winbindd start” (which probably is due to the service principal expiring and needing renewal - this doesn’t seem to happen on small servers with few users, but for us with 500-1600 users per “samba” it happens regularly. Every day at 17:00 and 03:00 (we restart smbd&winbindd at 07:00). Without this watchdog smbd would refuse new connections for 1-15 minutes (or more) which isn’t good :-)

Samba 4.12.5, FreeBSD 11.3 & 12.1

From krb5.conf:

[realms]
OURREALM = {
  kdc = server1
  kdc = server2
  kdc = server3
  kdc = server4
}

It was “server1” that was being moved.

—
Peter Eriksson <pen at lysator.liu.se>

More information about the samba mailing list