[Samba] samba-tool hangs when using kerberos auth when a DC or site is offline

Anthony Mercatante tonio at ubuntu.com
Wed Jan 12 16:07:31 UTC 2022


I'm trying to fix this for month now.
Have 2 sites, 2 DCs per site, with dhcp failover and dhcp to dns provisionning on each of them.

The 2 sites are linked with proper routes and a wireguard vpn and it works like a charm since 2015.

The thing is that when the 2 sites are unlinked because the vpn is down, any samba-tool request that uses the -k option start responding slow, sometimes hanging forever.

To make this clear, on Site 1, DC 1, I'm launching this command :
samba-tool dns query DC1 domain.lan PC01 A -k yes

Response time is about 0.1 s, sometimes 0.2, everytime, very efficiently.

When I stop the VPN, it sometimes responds in 0.1 sec, sometimes in 10 seconds, sometimes never. Same thing with any other samba-tool command, as long as I use the "-k yes" option (kerberos auth).

In my case this breaks the dhcp-dns script, now based on samba-tool, which breaks the dhcp, which breaks... Everything ;) When I meet an internet connection issue, my LAN breaks, simple.

Using samba-tool with debug level 9 doesn't help, since the issue is with kerberos (no hang with -U option), but nothing in the logs or the output indicates a problem, It just seems to "wait" and never timeouts.

Any help appreciated !


More information about the samba mailing list