winbind_krb5_locator bug when the Domain Controller has multiple network IPs (smb3.5.8)

Dina_Fine at Dina_Fine at
Tue Apr 24 04:20:34 MDT 2012

Hi Jeremy
Thanks for the quick responce and the fix patch!

Two issues:

	I believe it has a little bug in the smb_krb5_locator_call_cbfunc function
	#ifdef DEBUG_KRB5
		if (ret) {
			fprintf(stderr, "[%5u]: smb_krb5_locator_lookup: "
				"failed to call callback: %s (%d)\n",
				(unsigned int)getpid(), error_message(ret), ret);
	It seems the 'ifdef DEBUG_KRB5' should be around the fprintf only.

2) It seems that the locator will return only IPv4 addresses (and indeed in the real enviroment it returns me only IPv4 IPs and skips the IPv6).


> -----Original Message-----
> From: Jeremy Allison [mailto:jra at]
> Sent: 24 April, 2012 02:01
> To: Fine, Dina; Terpstra, John
> Cc: samba-technical at
> Subject: Re: winbind_krb5_locator bug when the Domain Controller has multiple
> network IPs (smb3.5.8)
> On Mon, Apr 23, 2012 at 08:52:14AM +0100, Dina_Fine at wrote:
> > Hello
> > It seems the winbind_krb5_locator doesn't function correctly when the Domain
> Controller has multiple network IPs and some of IPs are not reachable from the
> samba server system.
> > The reason seems to be that only the winbind_krb5_locator uses the
> WBC_LOOKUP_DC_IP_REQUIRED flag for dsgetdcname request.
> >
> > All other flows (like join domain) use only the DNS name and then resolve the
> name->IP in a smart way (taking an IP which responds to ldap request).
> >
> > P.S. We have a customer environment where this bug actually takes
> > place. Sometimes the net join fails and sometime net ads testjoin fails due to
> Kerberos error: Cannot contact any KDC for requested realm Debugging the
> winbind_krb5_locator showed it replies with incorrect IP for the Kerberos Domain
> Controller request which leads to Kerberos error.
> Ok Dina, I think this patch will fix the winbind_krb5_locator to do what you need. It
> removes the WBC_LOOKUP_DC_IP_REQUIRED flag from the winbindd request, which
> means we'll only get the KDC DNS name back. Then we call the standard getaddinfo
> on that name but instead of just calling the plugin callback once, we call it for all
> addresses that the getaddrinfo returned, allowing the krb5 library to collect a list of
> all returned addresses.
> The list will still contain the unreachable IP's but at least one of them should be
> reachable, and the krb5 library should be able to work with this.
> Let me know if it fixes your problem and if so I'll get it into the next releases for
> 3.5.x and 3.6.x. The patch should apply cleanly to the 3.5.8 version you have.
> Thanks,
> 	Jeremy.

More information about the samba-technical mailing list