[Samba] winbind/kerberos with multiple DCs fail to authenticate.

Adrian Chung adrian at enfusion-group.com
Mon Jul 21 01:04:21 GMT 2003

While testing the latest Samba3.0.0beta3, I notice that if I don't
specify a password server winbind appears to look it up via DNS, and
with two DCs, picks one.  However, my krb5.conf specifies a particular
Kerberos server (one of the two DCs), and so occasionally, winbind
will pick the first DC, and kerberos uses the other.

When this happens, I can't seem to connect to any shares on the Samba
servers, and also can't authenticate against the domain.

Once I set the 'password server' directive to reflect the same DC as
in my krb5.conf file, everything works fine.

Is this expected behaviour, or am I missing something that would make
it possible for me to specify both DCs in both my smb.conf and
krb5.conf configs?

Does it even matter if Kerberos uses the first DC, and winbind uses
the other?  Or is that just a red herring?

I know that I can specify both servers in both my password server list
and krb5.conf, but that's still no guarantee that they'll both pick
the same server each time.

Adrian Chung (adrian at enfusion-group dot com)
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[gambit.enfusion-group.com] 9:03pm up 57 days, 22:40, 10 users

More information about the samba mailing list