How to configure samba+winbind with AD redundancy?

EdgarLemke

8/4/24, 2:41 PM

I work for a company that offers a software solution for network management. Part of the solution is proxy authentication. An already legacy option in our software, is to configure a proxy to use NTLM authentication (among other possible authentication schemes). Currently, however, there's a limitation in the software for using only a single Active Directory server for authentication, and I received a task to overcome such limitation.

The idea is to implement some kind of redundancy, so that if the main AD server goes down, our server automatically starts to authenticate against the secondary AD server behind the scenes, and clients can still authenticate seamlessly or at least so so.

The server environment is a modified Debian GNU/Linux, running Squid 4.13-VCS. In the working NTLM authentication scheme, Squid uses Samba's tool ntlm_auth to do the authentication. Samba version is 4.10.5 (from smbclient -V). Our AD test servers run Windows Server, the test server I created runs Windows Server 2022. Both AD servers are in the same domain (the test server I created sync-ed with the older test server domain).

I did some research and it seems that ntlm_auth connects to winbind, which on its part keeps a connection to the AD server. I tried to setup the "password server" parameter in smb.conf but when I run "net ads join -U 'user%password'" it ignores it, and it's only working when I use the -S parameter, forcing a specific server. It seems to only work with a single server parameter and as far as I tested, winbind simply doesn't seem smart enough to detect the AD server went down and automatically try another one.

My smb.conf is, with company-specific details ommited:

[global]
  workgroup = domain
  server string = SMB Server
  password server = SRVAD002 SRVAD001

  security = ads
  realm = domain.local
  interfaces = 172.30.46.200/255.255.0.0,192.168.10.116/255.255.255.0,192.168.10.246/255.255.255.0
  bind interfaces only = yes

  #DEFAULT: lm announce = auto
  #lm announce = no
  local master = no
  os level = 10
  domain master = no
  preferred master = no
  dns proxy = no
  log level = 1
  syslog = 0
  syslog only = no
  log file = /var/log/samba/samba.log
  max log size = 0

  winbind uid = 10000-20000
  winbind gid = 30000-40000
  winbind use default domain = Yes
  winbind enum users = yes
  winbind enum groups = yes
  winbind separator = /
  #winbind separator = +
  #DEFAULT: winbind cache time = 15
  winbind cache time = 60
  #DEFAULT winbind max clients = 200
  winbind max clients = 600
  winbind refresh tickets = true

  #ntlm auth = Yes
  #min protocol = NT1
  #client NTLMv2 auth = Yes
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  getwd cache = yes

I also tried to set the interfaces parameter pointing directly to the AD servers to no avail.

So, is there some way to configure samba/winbind/ntlm_auth to do this redundancy setup? Maybe some AD connections pool or something?

1 + 0

active-directory

samba

redundancy

ntlm

Score:1

Server

Greg Askew

8/4/24, 3:07 PM

In Active Directory, this is the responsibility of the consumer.

You could do what every Windows endpoint host does. Query rootdse for a list of domain controllers, then perform a network connection test on the required ports (135,389,3268), and select a domain controller closest to you based on the SRV record. Or you can do what some other Enterprise vendors do and configure two domain controllers instead of one. If the primary is down, attempt the operation on the other server.

+ 4

EdgarLemke

8/4/24, 4:09 PM

Unfortunately in our use case the only real AD "consumer" is the proxy server itself. The proxy service is designed to be a transparent proxy serving a Wi-Fi hotspot, so the real clients won't even connect to the network if the proxy doesn't authenticate their accounts against the AD. I could write a solution to continuously check the servers ports and restart winbind pointing to the proper server if the other one goes down but it seems quite hackish. The second test server is already configured as DC.

EdgarLemke

8/4/24, 4:22 PM

By "connect to the network" I mean "navigate on the internet", sorry.

Greg Askew

8/4/24, 4:36 PM

There are several ways to approach this. But since it is a client solution not AD or winbind it probably trends towards hackish. Most people don't encounter this due to AD can normally have a high uptime. Where it usually is problematic is with complex topologies, and non standard networks like multiple network adapters, and using the domain DNS name instead of specific domain controller names (server bind). But all of those are typical issues that the client can compensate for.

EdgarLemke

8/11/24, 7:42 PM

Thanks for your time @GregAskew, it helped to make the issue clearer.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to configure samba+winbind with AD redundancy?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.