winbind/kerberos with multiple DCs fail to authenticate

Adrian Chung adrian at
Fri Jul 25 19:59:21 GMT 2003

On Fri, Jul 25, 2003 at 01:04:20PM -0500, Gerald (Jerry) Carter wrote:
> > While testing the latest Samba3.0.0beta3, I notice that if I don't
> > specify a password server winbind appears to look it up via DNS, and
> > with two DCs, picks one.  However, my krb5.conf specifies a particular
> > Kerberos server (one of the two DCs), and so occasionally, winbind
> > will pick the first DC, and kerberos uses the other.
> > 
> > When this happens, I can't seem to connect to any shares on the Samba
> > servers, and also can't authenticate against the domain.
> Hmmm....i run this same setup and winbindd always picks the server not 
> listed in krb5.conf due to the way the IPs are sorted.  I've never had 
> this problem.    Can you give me some more details as to how you came to 
> the conclusion posted here?  

Well, I've just done some more testing, and with both DC's in my
krb5.conf and both listed in 'password server =', everything's working
just fine.

I apologize for the interruption.  I've been having intermittent
trouble with winbindd just suddenly refusing to authenticate AD users
until it's restarted, but I'm going to try and collect a level 3 log
to see if it will shed more light on the situation.  I notice that
when it happens, wbinfo --sequence says "DOMAIN: disconnected" instead
of a sequence number, although it can still query either the users or
groups in the domain, but usually not both, and wbinfo -t works fine.

Around the same time I was troubleshooting the intermittent problems,
I was also playing around with the krb5.conf and password server
settings, so I probably broke something inadvertently.

Adrian Chung (adrian at enfusion-group dot com)
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[xavier] up 20:21, 9 users, load average: 0.62

More information about the samba-technical mailing list