winbind_krb5_locator bug when the Domain Controller has multiple network IPs (smb3.5.8)

Dina_Fine at Dina_Fine at
Mon Apr 23 01:52:14 MDT 2012

It seems the winbind_krb5_locator doesn't function correctly when the Domain Controller has multiple network IPs and some of IPs are not reachable from the samba server system.
The reason seems to be that only the winbind_krb5_locator uses the WBC_LOOKUP_DC_IP_REQUIRED flag for dsgetdcname request.

All other flows (like join domain) use only the DNS name and then resolve the name->IP in a smart way (taking an IP which responds to ldap request).

P.S. We have a customer environment where this bug actually takes place. Sometimes the net join fails and sometime net ads testjoin fails due to Kerberos error: Cannot contact any KDC for requested realm
Debugging the winbind_krb5_locator showed it replies with incorrect IP for the Kerberos Domain Controller request which leads to Kerberos error.

Dina Fine
Engineering Team Leader
Dell | IDC
office +972 97698825,  fax +972 97698889
dina_fine at<mailto:dina_fine at>
Dell IDC. 89 Medinat Hayehudim St, Tower E, Herzeliya 46141, Israel

More information about the samba-technical mailing list