samba - Jul 2007 - password server and round robin dns of DCs

Hi All,

I've been having a problem recently with LDAP queries for group names in
winbind. I'm fairly certain the problem is to do with the fact that I'm
using a round robin dns name for the password server. When samba starts
it attaches itself to what I presume is the first server that returns
from the dns lookup. When that server is taken down for maintenance it
causes winbind to stop resolving group names, etc. see below for more
details.

My config:

[global]
        workgroup = XXX
        realm = xxx.xxxxx.xxx
        netbios name = XXXX-XXXXX
        server string = %h server (Samba %v)
        security = ADS
        obey pam restrictions = Yes
        password server = xxx.xxxxx.xxx
        passdb backend = tdbsam
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        restrict anonymous = 1
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        local master = No
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 10000-100000000
        idmap gid = 10000-100000000
        template homedir = /home/%U
        template shell = /bin/bash
        winbind use default domain = Yes
        invalid users = root
        hosts allow = xxx.xxx.34.0/255.255.255.0,
xxx.xxx.16.0/255.255.255.0, 127.0.0.1



My /var/log/samba/log.winbind:

2007/07/01 18:03:45, 1] libsmb/clientgen.c:cli_rpc_pipe_close(376)
  cli_rpc_pipe_close: cli_close failed on pipe \lsarpc, fnum 0x2f to
machine XXX-DC.  Error
was Call timed out: server did not respond after 10000 milliseconds
[2007/07/01 18:03:45, 1] libsmb/clientgen.c:cli_rpc_pipe_close(376)
  cli_rpc_pipe_close: cli_close failed on pipe \NETLOGON, fnum 0x4004 to
machine XXX-DC.  Er
ror was Call timed out: server did not respond after 10000 milliseconds
[2007/07/01 18:04:00, 1] libads/cldap.c:recv_cldap_netlogon(215)
  no reply received to cldap netlogon
[2007/07/01 18:04:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain XXX failed: Interrupted system call
[2007/07/01 18:04:00, 1] nsswitch/winbindd_group.c:fill_grent_mem(106)
  could not lookup membership for group rid
S-1-5-21-1117850145-1682116191-196506527-513 in d
omain UOB (error: NT_STATUS_UNSUCCESSFUL)
[2007/07/01 18:04:00, 1] nsswitch/winbindd_group.c:getgrgid_got_sid(346)
  could not lookup sid
...
[2007/07/01 18:11:48, 1] libads/cldap.c:recv_cldap_netlogon(215)
  no reply received to cldap netlogon
[2007/07/01 18:11:48, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
  ads_connect for domain XXX failed: Interrupted system call
[2007/07/01 18:11:48, 1] nsswitch/winbindd_group.c:fill_grent_mem(106)
  could not lookup membership for group rid ...
nsswitch/winbindd_group.c:winbindd_getgrnam(259)
  group XXX-group in domain XXX does not exist
...


It was my hope that the round robin dns would be expanded and Samba
would retry the other servers in the DNS lookup. I can see now this does
not work (although I'd like confirmation of this if possible).

Authentication continues to work; the Kerberos realm uses the same round
robin dns entry.

I wonder if this classifies as a bug or feature request or is deliberate
by design? I cannot use "password server = *" as the member servers
are
not sitting in the same IP subnet as the DCs, as I am aware, the
discovery uses the netmask.

I'm quite willing to change it to a know list of DCs but the round robin
somehow seemed nicer.

Any suggestions gladly welcomed.

Matt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt Baker wrote:
> It was my hope that the round robin dns would be expanded and Samba
> would retry the other servers in the DNS lookup. I can see now this does
> not work (although I'd like confirmation of this if possible).
IIRC what's happening to you is that the server name is bring placed
into a negative cache by Samba's name resolution manager so
it will be ignored for a short period of time.
> I wonder if this classifies as a bug or feature request or
> is deliberate by design? I cannot use "password server = *"
> as the member servers are not sitting in the same IP subnet
> as the DCs, as I am aware, the discovery uses the netmask.
Incorrect.  That is true for bradcast NetBIOS name resulution
but not for AD DC location which uses DNS.



cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGjlGSIR7qMdg1EfYRApwxAJ9g14Miumri7PPUlTwAUF0U8JX73gCeL5Xi
RVrUoBVZUrhSKkzGP0wdWoc=ss2A
-----END PGP SIGNATURE-----