winbind_krb5_locator bug when the Domain Controller has multiple network IPs (smb3.5.8)
Dina_Fine at Dell.com
Dina_Fine at Dell.com
Tue Apr 24 05:07:49 MDT 2012
I am not sure anymore about the IPv6/IPv4. Also without the locator I see only the IPv4 addresses and I see only those addresses on wire sniffing.
So perhaps it was a false alarm.
I am attaching the patch I have applied which is based on yours plus the fix for "#ifdef" mentioned below and also I added the debug messages for returned addresses which help to see what exactly the Kerberos gets from the locator.
Thanks for your help.
Dina Fine.
> -----Original Message-----
> From: Fine, Dina
> Sent: 24 April, 2012 13:21
> To: 'Jeremy Allison'; Terpstra, John
> Cc: samba-technical at lists.samba.org
> Subject: RE: winbind_krb5_locator bug when the Domain Controller has multiple
> network IPs (smb3.5.8)
>
> Hi Jeremy
> Thanks for the quick responce and the fix patch!
>
> Two issues:
>
> 1)
> I believe it has a little bug in the smb_krb5_locator_call_cbfunc function
> #ifdef DEBUG_KRB5
> if (ret) {
> fprintf(stderr, "[%5u]: smb_krb5_locator_lookup: "
> "failed to call callback: %s (%d)\n",
> (unsigned int)getpid(), error_message(ret), ret);
> break;
> }
> #endif
> It seems the 'ifdef DEBUG_KRB5' should be around the fprintf only.
>
> 2) It seems that the locator will return only IPv4 addresses (and indeed in the real
> enviroment it returns me only IPv4 IPs and skips the IPv6).
>
> Thanks!
> Dina
>
> > -----Original Message-----
> > From: Jeremy Allison [mailto:jra at samba.org]
> > Sent: 24 April, 2012 02:01
> > To: Fine, Dina; Terpstra, John
> > Cc: samba-technical at lists.samba.org
> > Subject: Re: winbind_krb5_locator bug when the Domain Controller has multiple
> > network IPs (smb3.5.8)
> >
> > On Mon, Apr 23, 2012 at 08:52:14AM +0100, Dina_Fine at Dell.com wrote:
> > > Hello
> > > It seems the winbind_krb5_locator doesn't function correctly when the Domain
> > Controller has multiple network IPs and some of IPs are not reachable from the
> > samba server system.
> > > The reason seems to be that only the winbind_krb5_locator uses the
> > WBC_LOOKUP_DC_IP_REQUIRED flag for dsgetdcname request.
> > >
> > > All other flows (like join domain) use only the DNS name and then resolve the
> > name->IP in a smart way (taking an IP which responds to ldap request).
> > >
> > > P.S. We have a customer environment where this bug actually takes
> > > place. Sometimes the net join fails and sometime net ads testjoin fails due to
> > Kerberos error: Cannot contact any KDC for requested realm Debugging the
> > winbind_krb5_locator showed it replies with incorrect IP for the Kerberos Domain
> > Controller request which leads to Kerberos error.
> >
> > Ok Dina, I think this patch will fix the winbind_krb5_locator to do what you need. It
> > removes the WBC_LOOKUP_DC_IP_REQUIRED flag from the winbindd request,
> which
> > means we'll only get the KDC DNS name back. Then we call the standard
> getaddinfo
> > on that name but instead of just calling the plugin callback once, we call it for all
> > addresses that the getaddrinfo returned, allowing the krb5 library to collect a list of
> > all returned addresses.
> >
> > The list will still contain the unreachable IP's but at least one of them should be
> > reachable, and the krb5 library should be able to work with this.
> >
> > Let me know if it fixes your problem and if so I'll get it into the next releases for
> > 3.5.x and 3.6.x. The patch should apply cleanly to the 3.5.8 version you have.
> >
> > Thanks,
> >
> > Jeremy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: locator.patch
Type: application/octet-stream
Size: 2813 bytes
Desc: locator.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120424/4efb05ca/attachment.obj>
More information about the samba-technical
mailing list