winbind/kerberos with multiple DCs fail to authenticate
Adrian Chung
adrian at enfusion-group.com
Fri Jul 25 19:59:21 GMT 2003
On Fri, Jul 25, 2003 at 01:04:20PM -0500, Gerald (Jerry) Carter wrote:
[...]
> > While testing the latest Samba3.0.0beta3, I notice that if I don't
> > specify a password server winbind appears to look it up via DNS, and
> > with two DCs, picks one. However, my krb5.conf specifies a particular
> > Kerberos server (one of the two DCs), and so occasionally, winbind
> > will pick the first DC, and kerberos uses the other.
> >
> > When this happens, I can't seem to connect to any shares on the Samba
> > servers, and also can't authenticate against the domain.
>
> Hmmm....i run this same setup and winbindd always picks the server not
> listed in krb5.conf due to the way the IPs are sorted. I've never had
> this problem. Can you give me some more details as to how you came to
> the conclusion posted here?
Well, I've just done some more testing, and with both DC's in my
krb5.conf and both listed in 'password server =', everything's working
just fine.
I apologize for the interruption. I've been having intermittent
trouble with winbindd just suddenly refusing to authenticate AD users
until it's restarted, but I'm going to try and collect a level 3 log
to see if it will shed more light on the situation. I notice that
when it happens, wbinfo --sequence says "DOMAIN: disconnected" instead
of a sequence number, although it can still query either the users or
groups in the domain, but usually not both, and wbinfo -t works fine.
Around the same time I was troubleshooting the intermittent problems,
I was also playing around with the krb5.conf and password server
settings, so I probably broke something inadvertently.
--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian/
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[xavier] up 20:21, 9 users, load average: 0.62
More information about the samba-technical
mailing list