In my homelab I have a Acitve Directory with two DC (domain controller). Truenas is joined to Active Directory. If at least one DC is reachable, all is fine.
and the SMB-Service will be stopped automatically.
If later one DC is reachable, then the alert is cleared. With following email:
The following alert has been cleared: “6, ‘WBC_ERR_WINBIND_NOT_AVAILABLE: wbcInterfaceDetails failed’, ‘…/…/nsswitch/py_wbclient.c:1686’”
But the SMB-Service will not started automatically again. I have to login in webinterface and do it manually. For me it is not a problem, when the smb-shares are not available while no DC is reachable. But restart smb-service manually is not fine.
AD domain controllers are critical infrastructure that we expect to be available 24x7 (which is a reasonable expectation IMO). Best practice per MS is also to have minimally one non-virtualized DC.
You are right, that DCs are critical infrastructure. So there are two separate DC on different machines. So I have redundancy. But the Truenas is not so critical and only connected by one LAN-Link. Is there a fault (e.g. switch fault), the connection to DCs are lost. In this moment the truenas can’t work. That is ok. But I think it would be a good system-design, when faults cleared (e.g. switch). The system begins to work automatically.
Is there a reason why the SMB Daemon is stopping and winbind is deactivating. While winbind is automaticlly restartet, smbd left stopped.
systemd-log:
Aug 04 17:58:41 nas systemd[1]: Stopping smbd.service - Samba SMB Daemon…
Aug 04 17:58:41 nas systemd[1]: smbd.service: Deactivated successfully.
Aug 04 17:58:41 nas systemd[1]: Stopped smbd.service - Samba SMB Daemon.
Aug 04 17:58:41 nas systemd[1]: Stopping winbind.service - Samba Winbind Daemon…
Aug 04 17:59:45 nas systemd[1]: winbind.service: Deactivated successfully.
Aug 04 17:59:45 nas systemd[1]: winbind.service: Consumed 3.455s CPU time.
Aug 04 17:59:45 nas systemd[1]: Starting winbind.service - Samba Winbind Daemon…
Aug 04 17:59:45 nas systemd[1]: Started winbind.service - Samba Winbind Daemon.
Is perhaps the configuration in the service target - file of systemd the reason for that behavior? I’m not so familiar with systemd. But is the reason that “Requires=winbind.service” ? Can “Requires” replaced by “Wants” ?
Healthy winbind domain connection will be required regardless for stable SMB server. winbindd is required in order to resolve even local account SIDs, so having DCs available is non-negotiable here. I just merged in a change to backend to restart dependent services (SMB / NFS) on directory services state change from FAULTED to HEALTHY, which addresses case where DCs are unavailable and then become available.
Generally if a workplace relies on an identity service for access to the SMB service, and the identity service goes down, they don’t transition to local accounts - they work toward restoring the domain. This is because if your DCs are down everything is broken (much higher priority than SMB share access).
You are right, that having DCs available is important.
My problem is not that the shares are not available while no DC is available. My problem is, that smbd service is stopped and not startet again, also when DCs coming back and the smbd service in truenas must be restarted manually.
I have changed smbd.service, so that windbind.service is now “Wants”.
A short test was fine. While no DC was available the shares where also not available, but the smb service and winbind service wasn’t stopped. If DC came back, then the shares were also again available. Without manual restart of smb service in truenas.
As others have pointed out, if you’re building your infrastructure on AD, having a DC present is not optional. Your infrastructure stops working without an operational DC, by design. Your DCs are your AAA (Authorisation, Access, Audit) system, without them you can’t securely give access to data and services, and keep track of who’s doing what.
If you’re going to use AD you need to commit to having a DC operational whenever you want to access data and services using it.
Sorry, but I agreed to this. That is not the problem and is not discussed.
My problem is that truenas disable SMB service permanent, when Active Directory Status:FAULTY.
Truenas do not enable SMB service again, when Active Directory
Status goes to HEALTHY.
