[Samba] password server and round robin dns of DCs

Matt Baker m at wheres.co.uk
Mon Jul 2 11:54:07 GMT 2007 

Hi All,

I've been having a problem recently with LDAP queries for group names in
winbind. I'm fairly certain the problem is to do with the fact that I'm
using a round robin dns name for the password server. When samba starts
it attaches itself to what I presume is the first server that returns
from the dns lookup. When that server is taken down for maintenance it
causes winbind to stop resolving group names, etc. see below for more
details.

My config:

[global]
        workgroup = XXX
        realm = xxx.xxxxx.xxx
        netbios name = XXXX-XXXXX
        server string = %h server (Samba %v)
        security = ADS
        obey pam restrictions = Yes
        password server = xxx.xxxxx.xxx
        passdb backend = tdbsam
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        restrict anonymous = 1
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        local master = No
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 10000-100000000
        idmap gid = 10000-100000000
        template homedir = /home/%U
        template shell = /bin/bash
        winbind use default domain = Yes
        invalid users = root
        hosts allow = xxx.xxx.34.0/255.255.255.0,
xxx.xxx.16.0/255.255.255.0, 127.0.0.1



My /var/log/samba/log.winbind:

2007/07/01 18:03:45, 1] libsmb/clientgen.c:cli_rpc_pipe_close(376)
  cli_rpc_pipe_close: cli_close failed on pipe \lsarpc, fnum 0x2f to
machine XXX-DC.  Error
was Call timed out: server did not respond after 10000 milliseconds
[2007/07/01 18:03:45, 1] libsmb/clientgen.c:cli_rpc_pipe_close(376)
  cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x4004 to
machine XXX-DC.  Er
ror was Call timed out: server did not respond after 10000 milliseconds
[2007/07/01 18:04:00, 1] libads/cldap.c:recv_cldap_netlogon(215)
  no reply received to cldap netlogon
[2007/07/01 18:04:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain XXX failed: Interrupted system call
[2007/07/01 18:04:00, 1] nsswitch/winbindd_group.c:fill_grent_mem(106)
  could not lookup membership for group rid
S-1-5-21-1117850145-1682116191-196506527-513 in d
omain UOB (error: NT_STATUS_UNSUCCESSFUL)
[2007/07/01 18:04:00, 1] nsswitch/winbindd_group.c:getgrgid_got_sid(346)
  could not lookup sid
...
[2007/07/01 18:11:48, 1] libads/cldap.c:recv_cldap_netlogon(215)
  no reply received to cldap netlogon
[2007/07/01 18:11:48, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain XXX failed: Interrupted system call
[2007/07/01 18:11:48, 1] nsswitch/winbindd_group.c:fill_grent_mem(106)
  could not lookup membership for group rid ...
nsswitch/winbindd_group.c:winbindd_getgrnam(259)
  group XXX-group in domain XXX does not exist
...


It was my hope that the round robin dns would be expanded and Samba
would retry the other servers in the DNS lookup. I can see now this does
not work (although I'd like confirmation of this if possible).

Authentication continues to work; the Kerberos realm uses the same round
robin dns entry.

I wonder if this classifies as a bug or feature request or is deliberate
by design? I cannot use "password server = *" as the member servers are
not sitting in the same IP subnet as the DCs, as I am aware, the
discovery uses the netmask.

I'm quite willing to change it to a know list of DCs but the round robin
somehow seemed nicer.

Any suggestions gladly welcomed.

Matt

More information about the samba mailing list