Hello all!
I've been successful at adding ADS authentication to my Samba servers on
all fronts, and also get kerberos authentication working. I've managed
to overcome some limitations (like, for instance, automatic password
changes on password expiration), but am facing one last hurdle before I
can honestly say that my system is well prepared for (almost) all scenarios.
When the primary ADS goes down (we're taking it offline to do testing
when possible), Winbind refuses to go out and look for a backup. We
either have to manually bounce the service (it will find the backup
appropriately), or use "wbinfo -u". So, here's the feature request:
would it be possible for Winbind to implement some sort of "current DC"
heartbeat mechanism, such that when that heartbeat fails (or after X
heartbeats, whatever...), it automatically goes and looks for an
alternate DC?
I realize that this can probably be achieved using "winbind cache time",
however setting this too low would probably result in a lot of
unnecessary network traffic. Also, a "daemonized", manually implemented
heartbeat could also do the job. However, this is a feature that would
probably best be included as a standard part of winbind.
I think a good way to do the heartbeat is to open an LDAP link for the
"current" ADS, and either checking credentials (or some other "no-op"
operation) or closing the link. I realize TCP timeouts are probably at
play here as well, so this is by no means a perfect solution.
However, I have no doubt there are smarter people than I reading this
message, so I leave this in your already proven capable hands :)
Thanks for a great product!
Diego
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
