Thanks Louis,
I think you pointed me in the right direction. The below configuration did not fix my problem. For testing, I added a firewall rule in my AD server to block access to my packetfence server to simulate a server reboot. Whenever I enable the rule, I still got the same error message as below. It appears winbind was not seeing my other domain controllers. However once I added multiple kdc servers in my /etc/krb5.conf, the packetfence server was able to switch to other AD servers to authenticate.

I found this article that says I need the servers in both smb.conf and krb5.conf
https://access.redhat.com/articles/2329

I do not know if this directly relates to ntlm_auth, but it seems to fix my problem when rebooting a domain controller. It seems krb5.conf is the main one to change.

I was thinking that it would be nice if the documentation had an example of authenticating against multiple AD servers for failover. Is this a default in Redhat/CentOS krb5.conf , I am using Ubuntu 12.04?

Thanks,
Bart


From: Louis Munro [mailto:***@inverse.ca]
Sent: Thursday, May 7, 2015 8:24 AM
To: packetfence-***@lists.sourceforge.net
Subject: Re: [PacketFence-devel] Admin Guide Samba Password Server

On May 1, 2015, at 17:16 , Upchurch, Bart S. <***@texarkanacollege.edu<mailto:***@texarkanacollege.edu>> wrote:


Page 32 In Admin Guide shows the example

password server = 192.168.1.1

Would it be better to show?

password server = 192.168.1.1, 192.168.1.2, *
or
password server = 192.168.1.1, *

I know this was my fault, but I only placed one of our Domain Controller's IP in the smb.conf. When the Domain controller rebooted, I started getting the below error message.

Fri May 1 08:22:17 2015 : Info: Child PID 22881 (/usr/bin/ntlm_auth) is taking too much time: forcing failure and killing child.

I had to restart samba to fix it. By specifying an * it will use the IPs listed as preferred then will use others if the preferred are not available.

Reference link:
https://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#PASSWORDSERVER



I don't think this work the way you believe.

password server is only used for ldap authentication and not for ntlm_auth.
Windbind use DNS to find the DC to query.

Regards,
--
Louis Munro
***@inverse.ca<mailto:***@inverse.ca> :: www.inverse.ca<http://www.inverse.ca>
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org>)