winbind_krb5_locator bug when the Domain Controller has multiple network IPs (smb3.5.8)
Jeremy Allison
jra at samba.org
Mon Apr 23 14:55:48 MDT 2012
On Mon, Apr 23, 2012 at 08:52:14AM +0100, Dina_Fine at Dell.com wrote:
> Hello
> It seems the winbind_krb5_locator doesn't function correctly when the Domain Controller has multiple network IPs and some of IPs are not reachable from the samba server system.
> The reason seems to be that only the winbind_krb5_locator uses the WBC_LOOKUP_DC_IP_REQUIRED flag for dsgetdcname request.
>
> All other flows (like join domain) use only the DNS name and then resolve the name->IP in a smart way
> (taking an IP which responds to ldap request).
>
> P.S. We have a customer environment where this bug actually takes place. Sometimes the net join fails and sometime net ads testjoin fails due to Kerberos error: Cannot contact any KDC for requested realm
> Debugging the winbind_krb5_locator showed it replies with incorrect IP for the Kerberos Domain Controller request which leads to Kerberos error.
Good catch - thanks ! I'll take a look and decide where
we should do the filtering (probably inside the winbind_krb5_locator
code).
If you want to log a bug with buzilla.samba.org to track this
I'd appreciate it, but I will do so if you don't have time.
Cheers,
Jeremy.
More information about the samba-technical
mailing list