Adrian Chung
2003-Jul-21 01:04 UTC
[Samba] winbind/kerberos with multiple DCs fail to authenticate.
While testing the latest Samba3.0.0beta3, I notice that if I don't specify a password server winbind appears to look it up via DNS, and with two DCs, picks one. However, my krb5.conf specifies a particular Kerberos server (one of the two DCs), and so occasionally, winbind will pick the first DC, and kerberos uses the other. When this happens, I can't seem to connect to any shares on the Samba servers, and also can't authenticate against the domain. Once I set the 'password server' directive to reflect the same DC as in my krb5.conf file, everything works fine. Is this expected behaviour, or am I missing something that would make it possible for me to specify both DCs in both my smb.conf and krb5.conf configs? Does it even matter if Kerberos uses the first DC, and winbind uses the other? Or is that just a red herring? I know that I can specify both servers in both my password server list and krb5.conf, but that's still no guarantee that they'll both pick the same server each time. -- Adrian Chung (adrian at enfusion-group dot com) http://www.enfusion-group.com/~adrian/ GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 [gambit.enfusion-group.com] 9:03pm up 57 days, 22:40, 10 users