[Samba] replication error?

[Steve Thompson]

On Wed, 29 Aug 2012, Steve Thompson wrote:

> Samba4 beta6. CentOS 6.3.
>
> I have a CentOS client, using sssd, bound to a samba4 domain. The sssd 
> configuration uses GSSAPI to bind to the directory. In both scenarios below, 
> kerberos is fine, DNS is fine, I can use ldapsearch and bind to the directory 
> with GSSAPI just fine, etc.
>
> If I have just one DC, everything works perfectly well for weeks on end.
>
> If I have two or more DC's, everything works fine when the machine is first 
> bound to the domain. Sssd caches the login info, but eventually this times 
> out and another call to Samba has to be made to refresh the cache. The SASL 
> bind to the directory fails with:
>
>  (Wed Aug 29 11:40:56 2012) [sssd[be[SAMBA4]]] [sasl_bind_send] (0x0020):
>  ldap_sasl_bind failed (49)[Invalid credentials]
>
> Some time later, it starts working again, presumably because the first DC
> popped up in the name resolution order once again. The client configuration 
> is unchanged from the first (working) scenario.

After much weeping and gnashing of teeth, it appears that this one is down 
to sssd. I had specified ldap_uri in sssd.conf as pointing to the 
round-robin DNS entry:

 	ldap_uri = ldap://realm.foo.bar.baz

where realm.foo.bar.baz is created in DNS by samba4, and points to six IP 
addresses (two DC's with three interfaces each). It turns out that this is 
not supported by sssd (really, wtf?). By changing it to point to the IP 
addresses:

 	ldap_uri = ldap://<ip-of-dc1>,ldap://<ip-of-dc2>

with two corresponding kdc entries in krb5.conf, it now appears to work 
(including if I shut down dc1).

Steve