I am trying to use Samba4 to implement Active Directory logins across a network, using nslcd and pam-krb5 to register and authenticate users, and mount.cifs to mount shares such as home areas. The internal Samba4 DNS is used to provide DNS to all clients. Overall the setup works very well, with users being correctly identified and automatic share mounting through pam-mount working a treat. However, I want to try and implement a form of redundancy on this network with additional domain controllers.
To configure nslcd to point to multiple servers, I set a uri field to uri DNS, which lets nslcd pick up information about which LDAP server to use from DNS records like _ldap._tcp.domain.com - conveniently set automatically by Samba to point to every LDAP-capable server on the network.
/etc/krb5.conf was equally simple to configure, with the dns_lookup_kdc option set to true.
However, the one stumbling block of this setup is resolving DNS. Putting multiple nameserver lines in /etc/resolv.conf allows the clients to use a secondary nameserver in case the primary one goes down, but there is a huge timeout on every DNS query before that occurs. I have managed to reduce this timeout by setting option timeout: 0.3 in that file, but it is still painfully slow when using commands like ping.
Also, ignoring all of that for a second, mount.cifs seems incapable of being configured for multiple servers. I have tried to use //domain.com/share to mount the share, and this works to a certain degree, but fails when using Kerberos (since Kerberos requires the FQDN of the server to work properly). I have also tried using another of the SRV DNS records provided by Samba, such as _ldap._tcp.dc._msdcs.domain.com (a record which should point to every domain controller on that domain), but it likes that even less.
Any ideas?
