[Samba] password server and round robin dns of DCs - Samba

This is a discussion on [Samba] password server and round robin dns of DCs - Samba ; Hi All, I've been having a problem recently with LDAP queries for group names in winbind. I'm fairly certain the problem is to do with the fact that I'm using a round robin dns name for the password server. When ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: [Samba] password server and round robin dns of DCs

  1. [Samba] password server and round robin dns of DCs

    Hi All,

    I've been having a problem recently with LDAP queries for group names in
    winbind. I'm fairly certain the problem is to do with the fact that I'm
    using a round robin dns name for the password server. When samba starts
    it attaches itself to what I presume is the first server that returns
    from the dns lookup. When that server is taken down for maintenance it
    causes winbind to stop resolving group names, etc. see below for more
    details.

    My config:

    [global]
    workgroup = XXX
    realm = xxx.xxxxx.xxx
    netbios name = XXXX-XXXXX
    server string = %h server (Samba %v)
    security = ADS
    obey pam restrictions = Yes
    password server = xxx.xxxxx.xxx
    passdb backend = tdbsam
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
    *Retype\snew\sUNIX\spassword:* %n\n .
    restrict anonymous = 1
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    local master = No
    dns proxy = No
    panic action = /usr/share/samba/panic-action %d
    idmap uid = 10000-100000000
    idmap gid = 10000-100000000
    template homedir = /home/%U
    template shell = /bin/bash
    winbind use default domain = Yes
    invalid users = root
    hosts allow = xxx.xxx.34.0/255.255.255.0,
    xxx.xxx.16.0/255.255.255.0, 127.0.0.1



    My /var/log/samba/log.winbind:

    2007/07/01 18:03:45, 1] libsmb/clientgen.c:cli_rpc_pipe_close(376)
    cli_rpc_pipe_close: cli_close failed on pipe \lsarpc, fnum 0x2f to
    machine XXX-DC. Error
    was Call timed out: server did not respond after 10000 milliseconds
    [2007/07/01 18:03:45, 1] libsmb/clientgen.c:cli_rpc_pipe_close(376)
    cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x4004 to
    machine XXX-DC. Er
    ror was Call timed out: server did not respond after 10000 milliseconds
    [2007/07/01 18:04:00, 1] libads/cldap.c:recv_cldap_netlogon(215)
    no reply received to cldap netlogon
    [2007/07/01 18:04:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
    ads_connect for domain XXX failed: Interrupted system call
    [2007/07/01 18:04:00, 1] nsswitch/winbindd_group.c:fill_grent_mem(106)
    could not lookup membership for group rid
    S-1-5-21-1117850145-1682116191-196506527-513 in d
    omain UOB (error: NT_STATUS_UNSUCCESSFUL)
    [2007/07/01 18:04:00, 1] nsswitch/winbindd_group.c:getgrgid_got_sid(346)
    could not lookup sid
    ....
    [2007/07/01 18:11:48, 1] libads/cldap.c:recv_cldap_netlogon(215)
    no reply received to cldap netlogon
    [2007/07/01 18:11:48, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
    ads_connect for domain XXX failed: Interrupted system call
    [2007/07/01 18:11:48, 1] nsswitch/winbindd_group.c:fill_grent_mem(106)
    could not lookup membership for group rid ...
    nsswitch/winbindd_group.c:winbindd_getgrnam(259)
    group XXX-group in domain XXX does not exist
    ....


    It was my hope that the round robin dns would be expanded and Samba
    would retry the other servers in the DNS lookup. I can see now this does
    not work (although I'd like confirmation of this if possible).

    Authentication continues to work; the Kerberos realm uses the same round
    robin dns entry.

    I wonder if this classifies as a bug or feature request or is deliberate
    by design? I cannot use "password server = *" as the member servers are
    not sitting in the same IP subnet as the DCs, as I am aware, the
    discovery uses the netmask.

    I'm quite willing to change it to a know list of DCs but the round robin
    somehow seemed nicer.

    Any suggestions gladly welcomed.

    Matt
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] password server and round robin dns of DCs

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Matt Baker wrote:

    > It was my hope that the round robin dns would be expanded and Samba
    > would retry the other servers in the DNS lookup. I can see now this does
    > not work (although I'd like confirmation of this if possible).


    IIRC what's happening to you is that the server name is bring placed
    into a negative cache by Samba's name resolution manager so
    it will be ignored for a short period of time.

    > I wonder if this classifies as a bug or feature request or
    > is deliberate by design? I cannot use "password server = *"
    > as the member servers are not sitting in the same IP subnet
    > as the DCs, as I am aware, the discovery uses the netmask.


    Incorrect. That is true for bradcast NetBIOS name resulution
    but not for AD DC location which uses DNS.



    cheers, jerry
    ================================================== ===================
    Samba ------- http://www.samba.org
    Centeris ----------- http://www.centeris.com
    "What man is a man who does not make the world better?" --Balian
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFGjlGSIR7qMdg1EfYRApwxAJ9g14Miumri7PPUlTwAUF 0U8JX73gCeL5Xi
    RVrUoBVZUrhSKkzGP0wdWoc=
    =ss2A
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread