Thanks Louis,
I think you pointed me in the right direction. The below
configuration did not fix my problem. For testing, I added a firewall rule in
my AD server to block access to my packetfence server to simulate a server
reboot. Whenever I enable the rule, I still got the same error message as
below. It appears winbind was not seeing my other domain controllers. However
once I added multiple kdc servers in my /etc/krb5.conf, the packetfence server
was able to switch to other AD servers to authenticate.
I found this article that says I need the servers in both smb.conf and krb5.conf
https://access.redhat.com/articles/2329
I do not know if this directly relates to ntlm_auth, but it seems to fix my
problem when rebooting a domain controller. It seems krb5.conf is the main one
to change.
I was thinking that it would be nice if the documentation had an example of
authenticating against multiple AD servers for failover. Is this a default in
Redhat/CentOS krb5.conf , I am using Ubuntu 12.04?
Thanks,
Bart
From: Louis Munro [mailto:lmu...@inverse.ca]
Sent: Thursday, May 7, 2015 8:24 AM
To: packetfence-devel@lists.sourceforge.net
Subject: Re: [PacketFence-devel] Admin Guide Samba Password Server
On May 1, 2015, at 17:16 , Upchurch, Bart S.
<bart.upchu...@texarkanacollege.edu<mailto:bart.upchu...@texarkanacollege.edu>>
wrote:
Page 32 In Admin Guide shows the example
password server = 192.168.1.1
Would it be better to show?
password server = 192.168.1.1, 192.168.1.2, *
or
password server = 192.168.1.1, *
I know this was my fault, but I only placed one of our Domain Controller's IP
in the smb.conf. When the Domain controller rebooted, I started getting the
below error message.
Fri May 1 08:22:17 2015 : Info: Child PID 22881 (/usr/bin/ntlm_auth) is taking
too much time: forcing failure and killing child.
I had to restart samba to fix it. By specifying an * it will use the IPs listed
as preferred then will use others if the preferred are not available.
Reference link:
https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#PASSWORDSERVER
I don't think this work the way you believe.
password server is only used for ldap authentication and not for ntlm_auth.
Windbind use DNS to find the DC to query.
Regards,
--
Louis Munro
lmu...@inverse.ca<mailto:lmu...@inverse.ca> ::
www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
PacketFence-devel mailing list
PacketFence-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-devel