samba - May 2006 - How does Samba find a domain controller?

During some recent testing of winbindd (3.0.22) in a multi-domain,
multi-DC AD context, the AD expert I was working with was very
interested in winbindd's choice of domain controller (it apparently was
not choosing the one(s) AD-expert expected).

I understand that Windows domain members have an algorithm based on DNS
SRV records and IP address comparison, and I've seen some code posted in
the last few days that suggests this is only 'under development' for
Samba.

Can someone spell out to me the way Samba looks up DCs and chooses
amongst them?  For extra points: is there a way we can influence the
choice?

Thanks,

Bob Gautier
_____________________________________________________________

This email (including any attachments to it) is confidential, legally
privileged, subject to copyright and is sent for the personal attention of the
intended recipient only. If you have received this email in error, please advise
us immediately and delete it. You are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited. Although we have taken reasonable
precautions to ensure no viruses are present in this email, we cannot accept
responsibility for any loss or damage arising from the viruses in this email or
attachments. We exclude any liability for the content of this email, or for the
consequences of any actions taken on the basis of the information provided in
this email or its attachments, unless that information is subsequently confirmed
in writing. If this email contains an offer, that should be considered as an
invitation to treat.
_____________________________________________________________

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gautier, B (Bob) wrote:
> During some recent testing of winbindd (3.0.22) in 
> a multi-domain, multi-DC AD context, the AD expert I was
> working with was very interested in winbindd's choice
> of domain controller (it apparently was not choosing
> the one(s) AD-expert expected).
> 
> I understand that Windows domain members have an algorithm based 
> on DNS SRV records and IP address comparison, and I've seen
> some code posted in the last few days that suggests this
> is only 'under development' for Samba.
> 
> Can someone spell out to me the way Samba looks up DCs 
> and chooses amongst them?  For extra points: is there a
> way we can influence the choice?
ok.  Here goes.  This applies to >= 3.0.14.

The process breaks down into 2 parts:  finding a list of
domain controllers, and then choosing which one to contact.

Finding a DC is dependent on the 'name resolve order
parameter' value.  NetBIOS lookups search for the
DOMAIN<0x1c>.  DNS lookups query for _ldap._tcp.<domain>.

Samba 3.0.23 will query the correct _ldap._tcp.dc._msdcs.<domain>
name and includes affinity for a server once connected
so that for example winbindd will reconnect to the server
used during the domain join to avoid lags in replication
delays between DCs.

Once you have a list of IP addresses, winbindd will spray
all the DCs with a socket connect and select the first
one that replies.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEW0qnIR7qMdg1EfYRAoOAAKCfDu9BZuDTPgdTEVVxI8MEeDwXDgCgkNkC
7xchFyDigXLW6hiCVQ+1d5E=kFzY
-----END PGP SIGNATURE-----

> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry@samba.org] 
> Sent: 05 May 2006 13:53
> To: Gautier, B (Bob)
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] How does Samba find a domain controller?
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Gautier, B (Bob) wrote:
> > 
> > Can someone spell out to me the way Samba looks up DCs and chooses 
> > amongst them?  For extra points: is there a way we can 
> influence the 
> > choice?
> 
> ok.  Here goes.  This applies to >= 3.0.14.
> 
> The process breaks down into 2 parts:  finding a list of 
> domain controllers, and then choosing which one to contact.
> 
> Finding a DC is dependent on the 'name resolve order 
> parameter' value.  NetBIOS lookups search for the 
> DOMAIN<0x1c>.  DNS lookups query for _ldap._tcp.<domain>.
The recommendation in the smb.conf manpage is 'name resolve order = wins
bcast' when you are in security=ads mode, with a remark that in that
case ADS-style DNS lookups are done anyway, first.  Is my reading right?
> 
> Samba 3.0.23 will query the correct 
> _ldap._tcp.dc._msdcs.<domain> name and includes affinity for 
> a server once connected so that for example winbindd will 
> reconnect to the server used during the domain join to avoid 
> lags in replication delays between DCs.
Is that in pre1, or still to come?
 
> Once you have a list of IP addresses, winbindd will spray all 
> the DCs with a socket connect and select the first one that replies.
So as I understand it there is no plan to do any 'nearest DC' guessing
(which is what Windows appears to do, based on IP address comparisons)
but we can influence choice of DC by what we put in the DNS in the first
place, and by firewalling to prevent access to inappropriate (e.g.
offsite) DCs?

Thanks for the quick response,

Bob G
> 
> 
> cheers, jerry
> ====================================================================>
Samba                                    ------- http://www.samba.org
> Centeris                         -----------  http://www.centeris.com
> "What man is a man who does not make the world better?"     
--Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
> 
> iD8DBQFEW0qnIR7qMdg1EfYRAoOAAKCfDu9BZuDTPgdTEVVxI8MEeDwXDgCgkNkC
> 7xchFyDigXLW6hiCVQ+1d5E> =kFzY
> -----END PGP SIGNATURE-----
> 
_____________________________________________________________

This email (including any attachments to it) is confidential, legally
privileged, subject to copyright and is sent for the personal attention of the
intended recipient only. If you have received this email in error, please advise
us immediately and delete it. You are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited. Although we have taken reasonable
precautions to ensure no viruses are present in this email, we cannot accept
responsibility for any loss or damage arising from the viruses in this email or
attachments. We exclude any liability for the content of this email, or for the
consequences of any actions taken on the basis of the information provided in
this email or its attachments, unless that information is subsequently confirmed
in writing. If this email contains an offer, that should be considered as an
invitation to treat.
_____________________________________________________________

> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry@samba.org] 
> Sent: 05 May 2006 14:35
> To: Gautier, B (Bob)
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] How does Samba find a domain controller?
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Gautier, B (Bob) wrote:
> 
> >> The recommendation in the smb.conf manpage is 'name 
> resolve order = 
> >> wins bcast' when you are in security=ads mode, with a 
> remark that in 
> >> that case ADS-style DNS lookups are done anyway, first.  Is my 
> >> reading right?
> 
> If the man page says that, it's wrong.  DNS lookups are only 
> performed if you have host in the 'name resolve order'
> list.  I can double check, but I'm pretty sure this is how we 
> coded it up.
> 
> > Samba 3.0.23 will query the correct
> > _ldap._tcp.dc._msdcs.<domain> name and includes affinity 
> for a server 
> > once connected so that for example winbindd will reconnect to the 
> > server used during the domain join to avoid lags in 
> replication delays 
> > between DCs.
> > 
> >> Is that in pre1, or still to come?
> 
> The server affinity patches are in 3.0.23pre1.  The new DNS 
> lookup routines are still in development.
> 
> >> So as I understand it there is no plan to do any 'nearest
DC'
> >> guessing (which is what Windows appears to do, based on IP address
> >> comparisons) but we can influence choice of DC by what we 
> put in the 
> >> DNS in the first place, and by firewalling to prevent access to 
> >> inappropriate (e.g. offsite) DCs?
> 
> You mean the Site name stuff ?  I'm working on integrating 
> the CLDAP queries but I haven't looked at the Site stuff much.
> We used to pick DC's based on network address and that was horrible.
I might mean Site name stuff -- my understanding of exactly how Windows
does it is hazy.  I've got enough detail for my purposes now, and
knowing that Samba once *did* do address-based choice, has stopped, and
presumably won't ever do it again is useful.
> 
> Note that for you own domain you can specify 'password server 
> = foo.dom.ain *' to give preference to a specific DC.  This 
> doesn't work for trusted domains though.
Another useful trick!

Thanks again,

Bob G
> 
> 
> 
> 
> cheers, jerry
> ====================================================================>
Samba                                    ------- http://www.samba.org
> Centeris                         -----------  http://www.centeris.com
> "What man is a man who does not make the world better?"     
--Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
> 
> iD8DBQFEW1R7IR7qMdg1EfYRAu1/AJ9yviYUXyTJfec9AqD0y9AwiRgQlwCgjXFE
> j1uOsqTvunWvn+rHsKzxLfA> =LDK3
> -----END PGP SIGNATURE-----
> 
_____________________________________________________________

This email (including any attachments to it) is confidential, legally
privileged, subject to copyright and is sent for the personal attention of the
intended recipient only. If you have received this email in error, please advise
us immediately and delete it. You are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited. Although we have taken reasonable
precautions to ensure no viruses are present in this email, we cannot accept
responsibility for any loss or damage arising from the viruses in this email or
attachments. We exclude any liability for the content of this email, or for the
consequences of any actions taken on the basis of the information provided in
this email or its attachments, unless that information is subsequently confirmed
in writing. If this email contains an offer, that should be considered as an
invitation to treat.
_____________________________________________________________

> -----Original Message-----
> From: Gerald (Jerry) Carter [mailto:jerry@samba.org] 
> Sent: 05 May 2006 14:53
> To: Gautier, B (Bob)
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] How does Samba find a domain controller?
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Gautier, B (Bob) wrote:
> 
> >> I might mean Site name stuff -- my understanding of exactly how 
> >> Windows does it is hazy.  I've got enough detail for my 
> purposes now, 
> >> and knowing that Samba once *did* do address-based choice, has 
> >> stopped, and presumably won't ever do it again is useful.
> 
> The original network heuristic was based on network 
> addresses.  It was either an all or none match.
> 
Thanks,

Bob G
> 
> 
> 
> cheers, jerry
> ====================================================================>
Samba                                    ------- http://www.samba.org
> Centeris                         -----------  http://www.centeris.com
> "What man is a man who does not make the world better?"     
--Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
> 
> iD8DBQFEW1i9IR7qMdg1EfYRAluXAKCX9/XYm4jkVi3/OFX1KCZxEla/dwCfcEL9
> 4/gvKX0uAOV/YNV4y5R8ILg> =2kfd
> -----END PGP SIGNATURE-----
> 
_____________________________________________________________

This email (including any attachments to it) is confidential, legally
privileged, subject to copyright and is sent for the personal attention of the
intended recipient only. If you have received this email in error, please advise
us immediately and delete it. You are notified that disclosing, copying,
distributing or taking any action in reliance on the contents of this
information is strictly prohibited. Although we have taken reasonable
precautions to ensure no viruses are present in this email, we cannot accept
responsibility for any loss or damage arising from the viruses in this email or
attachments. We exclude any liability for the content of this email, or for the
consequences of any actions taken on the basis of the information provided in
this email or its attachments, unless that information is subsequently confirmed
in writing. If this email contains an offer, that should be considered as an
invitation to treat.
_____________________________________________________________

On Fri, 2006-05-05 at 09:54 +0100, Gautier, B (Bob)
wrote:
> During some recent testing of winbindd (3.0.22) in a multi-domain,
> multi-DC AD context, the AD expert I was working with was very
> interested in winbindd's choice of domain controller (it apparently was
> not choosing the one(s) AD-expert expected).
Samba is not (yet) Site-aware, that's way samba's way of discovering DCs
may not be what you expect.
> I understand that Windows domain members have an algorithm based on DNS
> SRV records and IP address comparison, and I've seen some code posted
in
> the last few days that suggests this is only 'under development'
for
> Samba.
Windows uses DNS SRV records as well CLDAP queries, samba does not yet
correlate all data.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra@samba.org
http://samba.org