net ads join seems to restrict itself to the first 5 DCs of those it finds

Alexey A Nikitin nikitin at amazon.com
Fri Aug 9 15:33:29 UTC 2019


On Thursday, 8 August 2019 15:26:43 PDT Richard Sharpe via samba-technical wrote:
> Hi folks,
> 
> We are finding that net ads join is unable to join because it only
> issues cldap requests for the first five DCs it finds when looking up
> _ldap._tcp.realm ...
> 
> Is this correct?
> 
> The problem seems to be that sites and services is not correctly
> configured to return the closest DC first in the list and the one they
> should be contacting is around 16 out of 29 returned.
> 
> 

I cannot confirm (yet) seeing this issue in `net ads join`, but I have seen something similar in `adcli info`, where the code selects only the first five entries among the SRV RR for _ldap._tcp, leading to domain discovery failure in some setups where DNS is configured to return non-site-specific DCs yet firewalls block communications from clients to those DCs. One could rightfully say that the setup itself is broken, yet Windows is robust enough to handle that, but adcli wasn't.

I wrote a patch that fixes that behavior in adcli, it got accepted upstream some time ago. If someone can confirm this behavior with `net ads join` (or with Winbind in general - I have seen plenty cases where it fails to locate DCs, just haven't yet had time to pinpoint the root cause) then I imagine the patch for `net ads join` shouldn't be too difficult to write either.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190809/9e6d5b90/signature.sig>


More information about the samba-technical mailing list