What was the resolution about why we are talking to DCs when a client authenticates with Kerberos
jra at samba.org
Thu Aug 27 21:21:52 UTC 2015
On Wed, Aug 05, 2015 at 10:25:16AM -0700, Richard Sharpe wrote:
> On Wed, Aug 5, 2015 at 10:16 AM, Uri Simchoni <urisimchoni at gmail.com> wrote:
> > The "shit-loads of DNS" is not my experience. Winbindd is supposed to
> > keep an open SMB connection (for RPC) and an LDAP connection per
> > domain. There was bug 11259 that caused an ldap reconnect per request,
> > if ldap was signed/sealed. After that got fixed, there was one ldap
> > and 3-4 RPCs per session-setup (typically, that obviously depends on
> > size of PAC and state of the winbindd cache), and that's what Jeremy
> > started working on. Once it came down to one ldap + a few RPCs, it
> > became bearable and dropped in priority, although I would love to see
> > it work without contacting at all - better scalability etc.
> I am seeing 80+ DNS requests, which might be because we have 5 DCs in
> the domain being queried!
> However, real customers out there (Fortune 500) are likely to have the
> same sort of thing, and it is a big problem when, because someone
> screwed up DNS server specification (not wrong, just on a different
> subnet) all of a sudden authentication starts failing or taking a long
> Windows does not have that problem. Samba does!
Yes I know. Issue is with internal structuring of how
winbindd handles this and what order smbd/winbindd
currently do things.
I got a long way along the road of fixing this, then
realized I needed to refactore more than was easy
for a single bug report.
Still plan to fix this eventually though.
More information about the samba-technical