[Samba] Winbind authentication issues when single Domain Controller down

Jeremy Allison jra at samba.org
Mon Apr 25 19:30:28 UTC 2022

On Mon, Apr 25, 2022 at 02:17:33PM -0500, Richard Anderson wrote:
>Samba: Version 4.13.17-Ubuntu
>Winbindd: Version 4.13.17-Ubuntu
>I would expect Samba to handle it fine, also. I wonder if there is
>something in our config that is preventing it from working properly. Would
>"dns proxy = no" do that? I started exploring that as a possible item to
>test outside of business hours.
>I included my smb.conf and nsswitch.conf as an attachment in the original
>post. I am including inline here just in case.

I think removing the "password server" line and letting
winbindd look up the DC's itself might be the better
thing to do.

Either way, once the list of IP addresses is retrieved,
we use a function cldap_multi_netlogon() to send a CLDAP
ping to all addresses in the list. From the comment for

  * Do a parallel cldap ping to the servers. The first "min_servers"
  * are fired directly, the remaining ones in 100msec intervals. If
  * "min_servers" responses came in successfully, we immediately reply,
  * not waiting for the remaining ones.

More information about the samba mailing list