[Samba] Winbind authentication issues when single Domain Controller down
Richard Anderson
rich.anderson at mbx.com
Mon Apr 25 19:17:33 UTC 2022
Samba: Version 4.13.17-Ubuntu
Winbindd: Version 4.13.17-Ubuntu
I would expect Samba to handle it fine, also. I wonder if there is
something in our config that is preventing it from working properly. Would
"dns proxy = no" do that? I started exploring that as a possible item to
test outside of business hours.
I included my smb.conf and nsswitch.conf as an attachment in the original
post. I am including inline here just in case.
#############
smb.conf
#############
[global]
workgroup = OURDOMAIN
server string = Linux Server %v
load printers = no
###########################
## Added as a test to prevent mbxmenu from breaking. This is a problem
where the Samba
## mounts could neither be accessed nor umounted (at least very quickly).
We suspected
## that the core issue was a locking or oplock problem but we were not able
to prove anything.
## The change here has not been confirmed with certainty that it has
prevented our issues described above.
min protocol = SMB2
deadtime = 10
##########################
server signing = mandatory
realm = OURDOMAIN.COMPANY_DOMAIN.COM
use sendfile = no
dns proxy = no
smb ports = 139 445
security = ADS
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
disable netbios = no
dos charset = ASCII
unix charset = UTF8
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
map hidden = no
map system = no
map archive = no
map readonly = no
store dos attributes = yes
ea support = yes
unix extensions = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
## Cache and specify server if we lose/reboot one of the domain controllers
winbind offline logon = yes
winbind cache time = 600
password server = dc1.ourdomain.company_domain.com,
dc2.ourdomain.company_domain.com,dc3.ourdomain.company_domain.com
## Add winbind mapping for shell and home directory - part of replacing
mbx_sssd_ldap for img Forge servers
template shell = /bin/bash
template homedir = /home/%u
# Default idmap config used for BUILTIN and local accounts/groups
# https://wiki.samba.org/index.php/Idmap_config_ad
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain
idmap config OURDOMAIN:backend = ad
idmap config OURDOMAIN:schema_mode = rfc2307
idmap config OURDOMAIN:range = 10000-99999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
##############
# nsswich.conf
##############
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat winbind
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files
Rich
*Sr. Systems Engineer*
On Mon, Apr 25, 2022 at 1:42 PM Jeremy Allison <jra at samba.org> wrote:
> On Mon, Apr 25, 2022 at 11:56:22AM -0500, Richard Anderson via samba wrote:
> >When one of our domain controllers is restarted or down, occasionally we
> >will have a large number of errors on our Samba server. This appears to
> >depend on whatever domain controller is being used by winbind.
> >
> >We found this out when several of our users reported they could not login
> >to our Samba server. Logs indicated NT_STATUS_NO_LOGON_SERVERS. This was
> on
> >a reboot of one of our domain controllers. Once the domain controller was
> >back up we were able to login to the server.
> >
> >Does the 'password server' setting work? Is there another setting I should
> >consider?
> >
> >We use winbind for authentication. When the domain controller that is
> being
> >used is down, wbinfo -P will take several minutes before failing and does
> >not appear to switch to another server on the second or third attempt.
> >
> >*Tried (smb.conf)*
> >
> > - winbind offline login = yes
> > - winbind cache time = 600
> > - password server = dc1.ourdomain.company_domain.com,
> > dc2.ourdomain.company_domain.com,dc3.ourdomain.company_domain.com
>
> What Samba version ? Modern Samba code to find a DC will
> ping DC's in parallel and pick the first one that responds.
>
More information about the samba
mailing list