[Samba] Replication with Multiple Sites in a Hub and Spoke Topology

Garming Sam garming at catalyst.net.nz
Thu Dec 22 21:13:38 UTC 2016


I believe what you've done should be the most effective solution
currently. The KDC is just being picked arbitrarily from DNS, which
doesn't respect the site information. It would be nice to have a better
solution, or just a better way to diagnose these issues.



On 20/12/16 07:42, Dale Renton wrote:
> On Sun, Dec 18, 2016 at 5:20 PM, Garming Sam <garming at catalyst.net.nz
> <mailto:garming at catalyst.net.nz>> wrote:
>     Hi,
>     It seems unlikely that the KCC is the cause of these issues. The
>     KCC is
>     only responsible for telling who to connect (and when) and doesn't
>     actually affect any underlying network connectivity. Connectivity
>     between the spokes should not be required and the communication
>     between
>     them is usually just some stale data. But none of that should affect
>     either of these commands.
>     Unless the DRS server is particular busy, it points to actual
>     connectivity issues. If you're running samba-tool drs showrepl, it
>     looks
>     like it should only contact the DC you are on. How long does it take
>     before each of the commands bail out? When doing the domain join,
>     do you
>     pick a particular server (and/or IP) to run against, and does it
>     make a
>     difference?
> I figured out the problem.  I ran the strace command on 'samba-tool
> drs showrepl' and indeed it did show one spoke trying to communicate
> with another spoke.  This is where the command would hang for 2
> minutes and return the NT_STATUS_IO_TIMEOUT.
> I changed the krb5.conf on DC3 only (left the hub domain controllers
> as is) from :
>   [libdefaults]
>         default_realm = AD.EXAMPLE.COM <http://AD.EXAMPLE.COM>
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> to
>   [libdefaults]
>         default_realm = AD.EXAMPLE.COM <http://AD.EXAMPLE.COM>
>         dns_lookup_realm = false
>         dns_lookup_kdc = false
>   [realms]
>         AD.EXAMPLE.COM <http://AD.EXAMPLE.COM> = {
>                 kdc = DC3.AD.EXAMPLE.COM <http://DC3.AD.EXAMPLE.COM>
>                 admin_server = DC3.AD.EXAMPLE.COM
> <http://DC3.AD.EXAMPLE.COM>
>                 default_domain = AD.EXAMPLE.COM <http://AD.EXAMPLE.COM>
> Now everything seems to be working again.  The domain join worked
> great too.  I'm assuming there is no harm in making this change?
> Thanks,
> Dale

More information about the samba mailing list