[Samba] Restricting to a subset of the domain controllers on a site

Wayne Rasmussen Wayne at gomonarch.com
Tue May 29 21:24:45 GMT 2007

Had a situation where users could not map drives from Windows XP to 
Solaris 9 system running Samba-3.0.10 for Active Directory.  This
system has been running for a couple of years without problems. Now
recently, the site administrators have added some new servers to the
domain which may have introduced a problem.

This krb5.conf file has been modified to hide the site in question.
        default_realm = sanatized
        default_tgs-enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
        default_tkt-enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
        default_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC

        sanatized = {
                kdc = DC1a.sanatized
                kdc = DC2a.sanatized
                kdc = DC3a.sanatized
                kdc = DC4a.sanatized
                admin_server = DC3a.sanatized

	.sanatized = sanatized
	sanatized = sanatized

        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        admin_server = FILE:/var/log/kadmin.log
	kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

		period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1,

		versions = 10

	kinit = {
		renewable = true
		forwardable= true
	gkadmin = {
		help_url =

So the system is expecting to see the following Domain Controllers:
   DC1a DC2a DC3a DC4a

However, when users were experiencing problems, we saw the following
klist was run.

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: IL02mcs at sanatized

Valid starting     Expires            Service principal
05/29/07 11:04:53  05/29/07 21:04:53  krbtgt/sanatized at sanatized
	renew until 05/30/07 11:04:53
05/29/07 11:05:09  05/29/07 21:04:53  exchgc01a$@sanatized
	renew until 05/30/07 11:04:53
05/29/07 11:05:09  05/29/07 11:07:09  kadmin/changepw at sanatized
	renew until 05/29/07 11:07:09

Kerberos 4 ticket cache: /tmp/tkt0

The line that concerns me is:
05/29/07 11:05:09  05/29/07 21:04:53  exchgc01a$@sanatized
   renew until 05/30/07 11:04:53

Anytime a DC other than DC1a DC2a DC3a DC4a gets used, users have
mapping drives.

We had no record of a domain controller named exchgc01a in the
The admins have recently added a number of servers which they are saying
they are catalog servers as part of their exchange setup and should not
be used for authentication at all.  The domain controllers they have

They are telling us that we must restrict to only authenticating to the
domain controllers: DC1a DC2a DC3a DC4a

Is there a way to do this?  Is their request unreasonable?

There is a password server setting, but is that good enough and can you
give it more than a single machine? What if the machine is down for an
unscheduled problem?

Personally, I don't think the new servers should be issuing tickets if
they are not used for authentication.  They just called be and will
checking to see if that is the case...

More information about the samba mailing list