Народ помогите!!! Уже голову сломал....
Сделал прокси на Fedora, squid, samba, winbind. Ввел в домен Windows 2003.
Все работает, пользователи авторизуются, когда первый контроллер работает.
Отключаю его, пользователи не авторизуются, а по идее должны, со второго домена авторизоваться. Даже локально нельзя зайти под root'ом. тормозит все.

Народ подскажите, кто делал такую отказоустойчивую систему

мои конфиги
it.local - имя домена
pdc - 172.16.1.210
sdc - 172.16.1.211

[root@gate ~]# vi /etc/resolv.conf
nameserver 172.16.1.211
nameserver 172.16.1.210
domain it.local
search it.local

[root@gate ~]# vi /etc/nsswitch.conf
passwd:     files winbind
group:      files winbind

здесь я эксперементировал с настройками, все равно не пашет
[root@gate ~]# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = IT.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
IT.LOCAL = {
  kdc = it.local:88
#  kdc = dc1.it.local
#  kdc = dc2.it.local
  admin_server = it.local:749
#  admin_server = dc1.it.local
#  admin_server = dc2.it.local
  default_domain = it.local
}

[domain_realm]
.it.local = IT.LOCAL
it.local = IT.LOCAL

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
~

[root@gate ~]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        dos charset = cp866
        unix charset = koi8-r
        display charset = koi8-r
        workgroup = IT
        realm = IT.LOCAL
        server string = IT Argus Proxy Server
        interfaces = eth0
        bind interfaces only = Yes
        security = ADS
        password server = dc1.it.local dc2.it.local
        passdb backend = tdbsam
        log file = /var/log/samba/samba.log
        max log size = 500
        os level = 0
        local master = No
        domain master = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = @
        winbind cache time = 60
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind offline logon = Yes
        hosts allow = 172.16.1., 127.0.0.1
[root@gate ~]#

[root@gate ~]# net ads info
LDAP server: 172.16.1.210
LDAP server name: dc1.it.local
Realm: IT.LOCAL
Bind Path: dc=IT,dc=LOCAL
LDAP port: 389
Server time: Fri, 27 Mar 2009 11:20:52 NOVT
KDC server: 172.16.1.210
Server time offset: 7

[root@gate ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: galeksd@IT.LOCAL

Valid starting     Expires            Service principal
03/19/09 09:55:37  03/19/09 19:56:47  krbtgt/IT.LOCAL@IT.LOCAL
        renew until 03/20/09 09:55:37
03/19/09 11:43:26  03/19/09 19:56:47  dc1$@IT.LOCAL
        renew until 03/20/09 09:55:37

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

[root@gate ~]# net cache list
Key: SAF/DOMAIN/IT       Timeout: 11:35:45       Value: 172.16.1.210
Key: NBT/DC2.IT.LOCAL#20         Timeout: 11:31:45       Value: 172.16.1.211:0
Key: SAF/DOMAIN/IT.LOCAL         Timeout: 11:35:45       Value: 172.16.1.210
Key: NBT/DC1.IT.LOCAL#20         Timeout: 11:31:45       Value: 172.16.1.210:0
Key: AD_SITENAME/DOMAIN/IT       Timeout: Tue Jan 19 09:14:07 2038       Value: itsite
[root@gate ~]#