winbind/kerberos with multiple DCs fail to authenticate

Gerald (Jerry) Carter jerry at samba.org
Fri Jul 25 18:04:20 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 25 Jul 2003, Adrian Chung wrote:

> While testing the latest Samba3.0.0beta3, I notice that if I don't
> specify a password server winbind appears to look it up via DNS, and
> with two DCs, picks one.  However, my krb5.conf specifies a particular
> Kerberos server (one of the two DCs), and so occasionally, winbind
> will pick the first DC, and kerberos uses the other.
> 
> When this happens, I can't seem to connect to any shares on the Samba
> servers, and also can't authenticate against the domain.
> 
> Once I set the 'password server' directive to reflect the same DC as
> in my krb5.conf file, everything works fine.
> 
> Is this expected behaviour, or am I missing something that would make
> it possible for me to specify both DCs in both my smb.conf and
> krb5.conf configs?
> 
> Does it even matter if Kerberos uses the first DC, and winbind uses
> the other?  Or is that just a red herring?
> 
> I know that I can specify both servers in both my password server list
> and krb5.conf, but that's still no guarantee that they'll both pick
> the same server each time.

Hmmm....i run this same setup and winbindd always picks the server not 
listed in krb5.conf due to the way the IPs are sorted.  I've never had 
this problem.    Can you give me some more details as to how you came to 
the conclusion posted here?  

Thanks.



cheers, jerry
 ----------------------------------------------------------------------
 Hewlett-Packard            ------------------------- http://www.hp.com
 SAMBA Team                 ---------------------- http://www.samba.org
 GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
 "You can never go home again, Oatman, but I guess you can shop there."  
                            --John Cusack - "Grosse Point Blank" (1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/IXEkIR7qMdg1EfYRApi0AKDobFcuKRl5xyBP8Q7A2MVr8o2t/QCfYU+7
6cDPvW6a9HNVnl2L+rySkdk=
=Purt
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list