[Samba] winbind occasionally failing to find domain controllers for trusted domains

Jason Haar Jason.Haar at trimble.co.nz
Thu Mar 15 03:51:19 GMT 2007 

Hi there

We have a bunch of Win2K3 trusted domains that are parts of other
forests from our own Win2K3 forest.

Most times Samba works just fine with allowing users from such trusted
domains to connect to its shares, but now and then it "gets out of
whack" and loses access/information about these "other" domains. "log
level = 9" shows things like the following where querying for details
about such domains (e.g. "wbinfo -D TRUSTED")

[2007/03/15 03:36:02, 5] libsmb/namecache.c:namecache_fetch(195)
  no entry for TRUSTED-DOM-02#20 found.
[2007/03/15 03:36:02, 3] libsmb/namequery.c:resolve_lmhosts(939)
  resolve_lmhosts: Attempting lmhosts lookup for name TRUSTED-DOM-02<0x20>
[2007/03/15 03:36:02, 4] libsmb/namequery.c:getlmhostsent(690)
  getlmhostsent: lmhost entry: 127.0.0.1 localhost
[2007/03/15 03:36:02, 3] libsmb/namequery.c:resolve_wins(836)
  resolve_wins: Attempting wins lookup for name TRUSTED-DOM-02<0x20>
[2007/03/15 03:36:02, 3] libsmb/namequery.c:resolve_wins(839)
  resolve_wins: WINS server resolution selected and no WINS servers listed.
[2007/03/15 03:36:03, 2]
nsswitch/winbindd_util.c:winbindd_dual_init_connection(467)
  Could not resolve DC name TRUSTED-DOM-02 for domain TRUSTED

This isn't surprising. "TRUSTED" is on a completely different network
from ours, and won't be reachable via broadcasts - only DNS can be
relied on. The domain "TRUSTED" maps to AD name "TRUSTED.NET" - and that
is resolvable (pointing to all the DCs for that domain). Similarly,
"trusted-dom-02.trusted.net" actually resolves to that host. It just
appears that Samba doesn't "do" such a lookup? And I can't just add
"trusted.net" to /etc/resolv.conf - we have over 8 trusts in place -
each with different DNS domains (and growing - acquisitions will do that
to you ;-) and I don't fancy the DNS delays.

Needless to say, all this works under Windows. Our existing Win2K3 AD
infrastructure suffers no issues with such relationships - only Samba
seems to pick up such problems. I would have thought that if a Samba
server was using "security = ADS", that such "NT4-style" lookup options
would be depreciated in preference of DNS and LDAP?

I know I can fix this problem by hard-wiring such hostnames into
/etc/samba/lmhosts - but that sort of defeats the purpose. We certainly
tear down and build up new DCs often enough to turn that into a
maintainance disaster anyway ;)

Have I missed something that could make these trusts more reliable? We
are running Samba-3.0.24 under CentOS4.4

Thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba mailing list