n3o2kb9ud8afwumed
2025-May-18 14:01 UTC
[Samba] wbinfo -i/getent passwd does not work when 1 of 2 KDCs is down
Hi,
I have a home setup with 2 Samba AD DCs. One of the DC machines is temporarily
down (HW failure) and windbind no longer able to do AD based ID mappings lookups
[2].
I believe I tracked this down to implementation of get_kdc_ip_string [1] only
succeeding if a minimum of 3 or # of known DCs in domain successfully responding
to net-logon pings.
The moment I force demoted dead DC from one that is still running, everything
started working again.
I was curious why more than one KDC server has to successfully respond to ping
for the function to succeed and allow user data to be queried?
Is something preventing from minimum being set to 1 or be configurable where
availability is more important than redundancy/consistency? It is likely to save
others in same situation few hours of debugging I had to go through, where
command wbinfo -u worked but wbinfo -i and getent passwd via winbind nss
provider did not.
P.S. Using throwaway account to avoid spam once email address goes public via
the mailing list.
Thank you,
Vladimir
[1] Code
https://github.com/samba-team/samba/blob/b6757378be238985d2b5d514219e8fc9d0ab04ee/source3/libads/kerberos.c#L1226
status = netlogon_pings(talloc_tos(), /* mem_ctx */
lp_client_netlogon_ping_protocol(), /* proto */
dc_addrs2, /* servers */
num_dcs, /* num_servers */
(struct netlogon_ping_filter){
.ntversion = NETLOGON_NT_VERSION_5 |
NETLOGON_NT_VERSION_5EX,
.domain = realm,
.hostname = lp_netbios_name(),
.acct_ctrl = -1,
.required_flags = DS_KDC_REQUIRED,
},
MIN(num_dcs, 3), /* min_servers */
timeval_current_ofs(3, 0), /* timeout */
&responses); TALLOC_FREE(dc_addrs2);
[2] Logs
2025/05/17 19:56:36.940911, 10, pid=3655496, effective(0, 0), real(0, 0),
traceid=3] source3/libads/kerberos.c:1232(get_kdc_ip_string)
get_kdc_ip_string: netlogon_pings failed: NT_STATUS_NOT_FOUND
[2025/05/17 19:56:36.940968, 3, pid=3655496, effective(0, 0), real(0, 0),
traceid=3] source3/libads/kerberos.c:1253(get_kdc_ip_string)
get_kdc_ip_string: Failed to get KDC ip address
[2025/05/17 19:56:36.941022, 10, pid=3655496, effective(0, 0), real(0, 0),
class=winbind, traceid=3]
source3/winbindd/idmap_ad.c:381(idmap_ad_get_tldap_ctx)
idmap_ad_get_tldap_ctx: Could not create private krb5.conf
[3] Samba version
smbd --version
Version 4.22.1-Debian-4.22.1+dfsg-1