Im having some trouble getting, or even finding out if this works. I have read through the samba by example and all the docs i can get my hands on and i cant get this to work. Maybe it isn't supposed too.... I have setup samba under RHEL4 QU1 to authenticate to AD. I am just using samba to authenticate users for login purposes. It works fine and dandy until my primary AD box goes down. I have a secondary AD server. It has a full replication of AD, DNS, and also hands out kerberos tickets. My AD DNS has the listings for _kerberos._tcp.gutbuster.local. `dig SRV _kerberos._tcp.gutbuster.local` returns both server entries results regardless of which DNS server I use. I dont seem to get very far once my primary has gone down. The samba host is able to get a new kerberos ticket from the secondary by running `kinit [EMAIL PROTECTED] but can no longer get winbind info with `wbinfo` and getent passwd fails to pull AD info. Have I said enough yet? my samba host is 10.180.23.69 my ad primary is 10.180.23.57 my ad secondary is 10.180.23.88 I have forced kerberos to use DNS to lookup the KDC (dns_lookup_kdc=true) in the krb5.conf and i dont have any of the KDC=10.180.23.88. I have tried using 'password server = *', 'password server = 10.180.23.88 10.180.23.57', and removing the 'password server=' line all together. Does anyone know if this setup even works? Remember, It isn't that I cant get AD to authenticate, its only when the primary AD server fails and the secondary server is all that exists. Here is my krb5.conf and my smb.conf....... [EMAIL PROTECTED] ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = GUTBUSTER.LOCAL dns_lookup_realm = false dns_lookup_kdc = true [realms] GUTBUSTER.LOCAL = { default_domain = gutbuster.local } [domain_realm] .gutbuster.local = GUTBUSTER.LOCAL gutbuster.local = GUTBUSTER.LOCAL [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [EMAIL PROTECTED] ~]#
[EMAIL PROTECTED] ~]# cat /etc/samba/smb.conf [global] winbind separator = + winbind cache time = 10 workgroup = GUTBUSTER.LOCAL winbind use default domain = yes client schannel = no realm = GUTBUSTER.LOCAL security = ads encrypt passwords = yes idmap uid = 5000-5999 idmap gid = 6000-6999 winbind enum users = yes winbind enum groups = yes template shell = /bin/bash template homedir = /home/%U [EMAIL PROTECTED] ~]# Thanks, Brian Gautreau -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba