winbind_krb5_locator bug when the Domain Controller has multiple network IPs (smb3.5.8)

Jeremy Allison jra at
Mon Apr 23 14:55:48 MDT 2012

On Mon, Apr 23, 2012 at 08:52:14AM +0100, Dina_Fine at wrote:
> Hello
> It seems the winbind_krb5_locator doesn't function correctly when the Domain Controller has multiple network IPs and some of IPs are not reachable from the samba server system.
> The reason seems to be that only the winbind_krb5_locator uses the WBC_LOOKUP_DC_IP_REQUIRED flag for dsgetdcname request.
> All other flows (like join domain) use only the DNS name and then resolve the name->IP in a smart way
> (taking an IP which responds to ldap request).
> P.S. We have a customer environment where this bug actually takes place. Sometimes the net join fails and sometime net ads testjoin fails due to Kerberos error: Cannot contact any KDC for requested realm
> Debugging the winbind_krb5_locator showed it replies with incorrect IP for the Kerberos Domain Controller request which leads to Kerberos error.

Good catch - thanks ! I'll take a look and decide where
we should do the filtering (probably inside the winbind_krb5_locator

If you want to log a bug with to track this
I'd appreciate it, but I will do so if you don't have time.



More information about the samba-technical mailing list