14554 – winbind hangs when one of the DCs goes down

Bug 14554 - winbind hangs when one of the DCs goes down

Summary: winbind hangs when one of the DCs goes down

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.12.6
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-10-27 12:41 UTC by Lev
Modified:	2020-10-27 13:11 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
winbindd logs (123.60 KB, text/plain) 2020-10-27 12:41 UTC, Lev	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lev 2020-10-27 12:41:47 UTC

Created attachment 16312 [details]
winbindd logs

There are two DC servers: WIN-EJ7MV1SFC5N (10.20.88.51) and WIN-JIE7G4JU4L2 (10.20.90.85). When AD DC services on WIN-EJ7MV1SFC5N are stopped (stop "Active Directory Domain Services" in services.msc), winbind is stuck instead of switching to the other available DC, wbinfo fails on timeout:

$ wbinfo -P ZTEST
checking the NETLOGON for domain[ZTEST] dc connection to "WIN-EJ7MV1SFC5N.ztest.ad" succeeded

$ date; time wbinfo -P ZTEST
Tue Oct 27 11:36:49 UTC 2020
checking the NETLOGON for domain[ZTEST] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE

real    1m4.626s
user    0m0.014s
sys     0m0.004s

As far as I can see there are 3 stages in winbindd trying to access DC services that are down:

1. During ~14sec till 11:37:03 winbindd sends UDP requests to the port 389 (LDAP):

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 172.29.224.119:58599    10.20.88.51:389         ESTABLISHED 23765/winbindd: dom 

Thread 1 (Thread 0x7fdcdba01b40 (LWP 23765)):
#0  0x00007fdce9089b77 in epoll_wait () from target:/lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fdcf07c8815 in epoll_event_loop (epoll_ev=0x7fdcdb02d020, tvalp=0x7fff02781240) at ../../lib/tevent/tevent_epoll.c:650
#2  0x00007fdcf07c91cf in epoll_event_loop_once (ev=0x7fdcdb075920, location=0x7fdcf07c9ab0 "../../lib/tevent/tevent_req.c:300") at ../../lib/tevent/tevent_epoll.c:937
#3  0x00007fdcf07c5931 in std_event_loop_once (ev=0x7fdcdb075920, location=0x7fdcf07c9ab0 "../../lib/tevent/tevent_req.c:300") at ../../lib/tevent/tevent_standard.c:110
#4  0x00007fdcf07bd2a4 in _tevent_loop_once (ev=0x7fdcdb075920, location=0x7fdcf07c9ab0 "../../lib/tevent/tevent_req.c:300") at ../../lib/tevent/tevent.c:772
#5  0x00007fdcf07bfd40 in tevent_req_poll (req=0x7fdcdb091f00, ev=0x7fdcdb075920) at ../../lib/tevent/tevent_req.c:300
#6  0x00007fdcf17b4acf in tevent_req_poll_ntstatus (req=0x7fdcdb091f00, ev=0x7fdcdb075920, status=0x7fff02781394) at ../../lib/util/tevent_ntstatus.c:109
#7  0x00007fdcec30ba76 in cldap_multi_netlogon (mem_ctx=0x7fdcdb07d680, servers=0x7fff02781420, num_servers=1, domain=0x7fdcdb016390 "ztest.ad", hostname=0x0, ntversion=6, min_servers=1, timeout=..., responses=0x7fff02781428) at ../../source3/libads/cldap.c:348
#8  0x00007fdcec30bc71 in ads_cldap_netlogon (mem_ctx=0x7fdcdb07d680, ss=0x7fff02781690, realm=0x7fdcdb016390 "ztest.ad", nt_version=6, _reply=0x7fff027814d0) at ../../source3/libads/cldap.c:389
#9  0x00007fdcec30be14 in ads_cldap_netlogon_5 (mem_ctx=0x7fdcdb07d680, ss=0x7fff02781690, realm=0x7fdcdb016390 "ztest.ad", reply5=0x7fff02781530) at ../../source3/libads/cldap.c:423
#10 0x00007fdcf036fa7c in ads_try_connect (ads=0x7fdcdb089a80, gc=false, ss=0x7fff02781690) at ../../source3/libads/ldap.c:259
#11 0x00007fdcf0370b49 in ads_connect (ads=0x7fdcdb089a80) at ../../source3/libads/ldap.c:605
#12 0x000055d176cdb821 in dcip_check_name (mem_ctx=0x7fdcdb07d6e0, domain=0x7fdcdb042260, pss=0x7fff02781a10, name=0x7fff027819f8, request_flags=0) at ../../source3/winbindd/winbindd_cm.c:1431
#13 0x000055d176cdcfec in cm_open_connection (domain=0x7fdcdb042260, new_conn=0x7fdcdb0423a0, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:1932
#14 0x000055d176cddb09 in init_dc_connection_network (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2203
#15 0x000055d176cddba6 in init_dc_connection (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2223
#16 0x000055d176cddbcb in init_dc_connection_rpc (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2230
#17 0x000055d176ce130f in cm_connect_netlogon (domain=0x7fdcdb042260, cli=0x7fff02781b80) at ../../source3/winbindd/winbindd_cm.c:3421
#18 0x000055d176cf92a3 in _wbint_PingDc (p=0x7fff02781d50, r=0x7fdcdb0c88f0) at ../../source3/winbindd/winbindd_dual_srv.c:817
#19 0x000055d176d6a21a in api_wbint_PingDc (p=0x7fff02781d50) at librpc/gen_ndr/srv_winbind.c:1579

2. Then during ~6sec till 11:37:09 winbindd sends UDP requests to the port 53 (DNS) (but in some my tests it took up to ~20sec):

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 172.29.224.119:35435    10.20.88.51:53          ESTABLISHED 23765/winbindd: dom 

Thread 1 (Thread 0x7fdcdba01b40 (LWP 23765)):
#0  0x00007fdce9089b77 in epoll_wait () from target:/lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fdcf07c8815 in epoll_event_loop (epoll_ev=0x7fdcdb02d200, tvalp=0x7fff02780dd0) at ../../lib/tevent/tevent_epoll.c:650
#2  0x00007fdcf07c91cf in epoll_event_loop_once (ev=0x7fdcdb0760a0, location=0x7fdcf07c9ab0 "../../lib/tevent/tevent_req.c:300") at ../../lib/tevent/tevent_epoll.c:937
#3  0x00007fdcf07c5931 in std_event_loop_once (ev=0x7fdcdb0760a0, location=0x7fdcf07c9ab0 "../../lib/tevent/tevent_req.c:300") at ../../lib/tevent/tevent_standard.c:110
#4  0x00007fdcf07bd2a4 in _tevent_loop_once (ev=0x7fdcdb0760a0, location=0x7fdcf07c9ab0 "../../lib/tevent/tevent_req.c:300") at ../../lib/tevent/tevent.c:772
#5  0x00007fdcf07bfd40 in tevent_req_poll (req=0x7fdcdb091f00, ev=0x7fdcdb0760a0) at ../../lib/tevent/tevent_req.c:300
#6  0x00007fdcf17b4acf in tevent_req_poll_ntstatus (req=0x7fdcdb091f00, ev=0x7fdcdb0760a0, status=0x7fff02780f1c) at ../../lib/util/tevent_ntstatus.c:109
#7  0x00007fdce4c9bb9f in ads_dns_lookup_srv (ctx=0x7fdcdb07d800, name=0x7fdcdb11e0c0 "_kerberos._tcp.dc._msdcs.ztest.ad", dclist=0x7fff02781068, numdcs=0x7fff02780f9c) at ../../lib/addns/dnsquery.c:218
#8  0x00007fdce4c9c4ad in ads_dns_query_internal (ctx=0x7fdcdb07d800, servicename=0x7fdce4ca0f40 "_kerberos", dc_pdc_gc_domains=0x7fdce4ca0f34 "dc", realm=0x7fdcdb0ccd90 "ztest.ad", sitename=0x0, dclist=0x7fff02781068, numdcs=0x7fff02781058) at ../../lib/addns/dnsquery.c:418
#9  0x00007fdce4c9c5e3 in ads_dns_query_kdcs (ctx=0x7fdcdb07d800, dns_forest_name=0x7fdcdb0ccd90 "ztest.ad", sitename=0x0, dclist=0x7fff02781068, numdcs=0x7fff02781058) at ../../lib/addns/dnsquery.c:483
#10 0x00007fdcec31ad03 in resolve_ads (name=0x7fdcdb0ccd90 "ztest.ad", name_type=56540, sitename=0x0, return_iplist=0x7fff02781250, return_count=0x7fff0278122c) at ../../source3/libsmb/namequery.c:2427
#11 0x00007fdcec31ba2f in internal_resolve_name (name=0x7fdcdb0ccd90 "ztest.ad", name_type=56540, sitename=0x0, return_iplist=0x7fff02781250, return_count=0x7fff0278122c, resolve_order=0x7fdcdb0cd180) at ../../source3/libsmb/namequery.c:2695
#12 0x00007fdcec31d0df in get_dc_list (domain=0x7fdcdb0ccd90 "ztest.ad", sitename=0x0, ip_list=0x7fff027813f8, count=0x7fff027813e4, lookup_type=DC_KDC_ONLY, ordered=0x7fff027813a3) at ../../source3/libsmb/namequery.c:3138
#13 0x00007fdcec31dd3f in get_kdc_list (realm=0x7fdcdb0ccd90 "ztest.ad", sitename=0x0, ip_list=0x7fff027813f8, count=0x7fff027813e4) at ../../source3/libsmb/namequery.c:3368
#14 0x00007fdcec309415 in get_kdc_ip_string (mem_ctx=0x7fdcdb0cbfe0 "/var/lock/samba/smb_krb5", realm=0x7fdcdb0ccd90 "ztest.ad", sitename=0x7fdcdb0d00e0 "Default-First-Site-Name", pss=0x7fdcdb089bb0) at ../../source3/libads/kerberos.c:457
#15 0x00007fdcec309e53 in create_local_private_krb5_conf_for_domain (realm=0x7fdcdb0ccd90 "ztest.ad", domain=0x7fdcdb0ccc40 "ZTEST", sitename=0x7fdcdb0d00e0 "Default-First-Site-Name", pss=0x7fdcdb089bb0) at ../../source3/libads/kerberos.c:698
#16 0x00007fdcf038c1f2 in ads_dc_name (domain=0x7fdcdb0ccc40 "ZTEST", realm=0x7fdcdb0ccd90 "ztest.ad", dc_ss=0x7fff02781630, srv_name=0x7fff027817d0 "\377\377\377\377\334\177") at ../../source3/libsmb/namequery_dc.c:113
#17 0x00007fdcf038c97d in get_dc_name (domain=0x7fdcdb0ccc40 "ZTEST", realm=0x7fdcdb0ccd90 "ztest.ad", srv_name=0x7fff027817d0 "\377\377\377\377\334\177", ss_out=0x7fff02781720) at ../../source3/libsmb/namequery_dc.c:240
#18 0x000055d176cdbed6 in get_dcs (mem_ctx=0x7fdcdb07d6e0, domain=0x7fdcdb042260, dcs=0x7fff02781938, num_dcs=0x7fff02781928, request_flags=0) at ../../source3/winbindd/winbindd_cm.c:1572
#19 0x000055d176cdc39b in find_new_dc (mem_ctx=0x7fdcdb07d6e0, domain=0x7fdcdb042260, dcname=0x7fff027819f8, pss=0x7fdcdb042310, fd=0x7fff027819e8, request_flags=0) at ../../source3/winbindd/winbindd_cm.c:1686
#20 0x000055d176cdd2f2 in cm_open_connection (domain=0x7fdcdb042260, new_conn=0x7fdcdb0423a0, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:1972
#21 0x000055d176cddb09 in init_dc_connection_network (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2203
#22 0x000055d176cddba6 in init_dc_connection (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2223
#23 0x000055d176cddbcb in init_dc_connection_rpc (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2230
#24 0x000055d176ce130f in cm_connect_netlogon (domain=0x7fdcdb042260, cli=0x7fff02781b80) at ../../source3/winbindd/winbindd_cm.c:3421
#25 0x000055d176cf92a3 in _wbint_PingDc (p=0x7fff02781d50, r=0x7fdcdb0c88f0) at ../../source3/winbindd/winbindd_dual_srv.c:817
#26 0x000055d176d6a21a in api_wbint_PingDc (p=0x7fff02781d50) at librpc/gen_ndr/srv_winbind.c:1579

3. And finally winbind tries to connect to port 88 (kerberos) and connection is stuck in a state SYN_SENT:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      1 172.29.224.119:37789    10.20.88.51:88          SYN_SENT    23765/winbindd: dom 
tcp        0      0 172.29.224.119:55235    10.20.90.85:445         ESTABLISHED 23765/winbindd: dom 

Thread 1 (Thread 0x7fdcdba01b40 (LWP 23765)):
#0  0x00007fdce908a8b4 in connect () from target:/lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fdcf22d58c7 in libc_connect (sockfd=25, addr=0x7fdcdb060e30, addrlen=16) at libzsocket/libzsocket.c:168
#2  0x00007fdcf22d6b4f in connect (sockfd=25, addr=0x7fdcdb060e30, addrlen=16) at libzsocket/libzsocket.c:330
#3  0x00007fdced281465 in krb5_sendto (context=0x7fdcdb076180, send_data=0x7fff027807e0, handle=0x7fdcdb060dc0, receive=0x7fff027807f0) at ../../source4/heimdal/lib/krb5/send_to_kdc.c:422
#4  0x00007fdced281a9d in krb5_sendto_context (context=0x7fdcdb076180, ctx=0x7fdcdb0c97a0, send_data=0x7fff027807e0, realm=0x7fdcdb0164a0 "ZTEST.AD", receive=0x7fff027807f0) at ../../source4/heimdal/lib/krb5/send_to_kdc.c:626
#5  0x00007fdced25844a in get_cred_kdc (context=0x7fdcdb076180, id=0x7fdcdb0c9940, flags=..., addresses=0x0, in_creds=0x7fff02780cd0, krbtgt=0x7fff02780c40, impersonate_principal=0x0, second_ticket=0x0, out_creds=0x7fff02780d60) at ../../source4/heimdal/lib/krb5/get_cred.c:521
#6  0x00007fdced258850 in get_cred_kdc_address (context=0x7fdcdb076180, id=0x7fdcdb0c9940, flags=..., addrs=0x0, in_creds=0x7fff02780cd0, krbtgt=0x7fff02780c40, impersonate_principal=0x0, second_ticket=0x0, out_creds=0x7fff02780d60) at ../../source4/heimdal/lib/krb5/get_cred.c:629
#7  0x00007fdced259a03 in get_cred_kdc_referral (context=0x7fdcdb076180, flags=..., ccache=0x7fdcdb0c9940, in_creds=0x7fff02781040, impersonate_principal=0x0, second_ticket=0x0, out_creds=0x7fdcdb0d0930, ret_tgts=0x7fff02780f78) at ../../source4/heimdal/lib/krb5/get_cred.c:998
#8  0x00007fdced259ea4 in _krb5_get_cred_kdc_any (context=0x7fdcdb076180, flags=..., ccache=0x7fdcdb0c9940, in_creds=0x7fff02781040, impersonate_principal=0x0, second_ticket=0x0, out_creds=0x7fdcdb0d0930, ret_tgts=0x7fff02780f78) at ../../source4/heimdal/lib/krb5/get_cred.c:1103
#9  0x00007fdced25a13f in krb5_get_credentials_with_flags (context=0x7fdcdb076180, options=0, flags=..., ccache=0x7fdcdb0c9940, in_creds=0x7fff02781040, out_creds=0x7fdcdb0d0930) at ../../source4/heimdal/lib/krb5/get_cred.c:1198
#10 0x00007fdced25a254 in krb5_get_credentials (context=0x7fdcdb076180, options=0, ccache=0x7fdcdb0c9940, in_creds=0x7fff02781040, out_creds=0x7fdcdb0d0930) at ../../source4/heimdal/lib/krb5/get_cred.c:1219
#11 0x00007fdce67f1b1c in gsskrb5_get_creds (minor_status=0x7fff027813fc, context=0x7fdcdb076180, ccache=0x7fdcdb0c9940, ctx=0x7fdcdb0d0900, target_name=0x7fdcdb0c9480, use_dns=0, time_req=0, time_rec=0x7fff02781404) at ../../source4/heimdal/lib/gssapi/krb5/init_sec_context.c:248
#12 0x00007fdce67f21b1 in init_auth (minor_status=0x7fff027813fc, cred=0x7fdcdb060f00, ctx=0x7fdcdb0d0900, context=0x7fdcdb076180, name=0x7fdcdb0c9480, mech_type=0x7fdcdb080db8, req_flags=32814, time_req=0, input_token=0x7fff02781450, actual_mech_type=0x0, output_token=0x7fff02781460, ret_flags=0x7fdcdb080d7c, time_rec=0x7fff02781404) at ../../source4/heimdal/lib/gssapi/krb5/init_sec_context.c:457
#13 0x00007fdce67f3175 in _gsskrb5_init_sec_context (minor_status=0x7fff027813fc, cred_handle=0x7fdcdb060f00, context_handle=0x7fdcdb016238, target_name=0x7fdcdb0c9480, mech_type=0x7fdcdb080db8, req_flags=32814, time_req=0, input_chan_bindings=0x0, input_token=0x7fff02781450, actual_mech_type=0x0, output_token=0x7fff02781460, ret_flags=0x7fdcdb080d7c, time_rec=0x7fff02781404) at ../../source4/heimdal/lib/gssapi/krb5/init_sec_context.c:944
#14 0x00007fdce680d654 in gss_init_sec_context (minor_status=0x7fff027813fc, initiator_cred_handle=0x7fdcdb0610d0, context_handle=0x7fdcdb080d60, target_name=0x7fdcdb00ed90, input_mech_type=0x7fdcdb080db8, req_flags=32814, time_req=0, input_chan_bindings=0x0, input_token=0x7fff02781450, actual_mech_type=0x0, output_token=0x7fff02781460, ret_flags=0x7fdcdb080d7c, time_rec=0x7fff02781404) at ../../source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c:187
#15 0x00007fdcec306183 in gse_get_client_auth_token (mem_ctx=0x7fdcdb092b30, gensec_security=0x7fdcdb010960, token_in=0x7fff027814d0, token_out=0x7fdcdb092b38) at ../../source3/librpc/crypto/gse.c:487
#16 0x00007fdcec307143 in gensec_gse_update_internal (gensec_security=0x7fdcdb010960, mem_ctx=0x7fdcdb092b30, in=..., out=0x7fdcdb092b38) at ../../source3/librpc/crypto/gse.c:879
#17 0x00007fdcec307052 in gensec_gse_update_send (mem_ctx=0x7fdcdb0927b0, ev=0x7fdcdb075920, gensec_security=0x7fdcdb010960, in=...) at ../../source3/librpc/crypto/gse.c:854
#18 0x00007fdcea4cac88 in gensec_update_send (mem_ctx=0x7fdcdb128230, ev=0x7fdcdb075920, gensec_security=0x7fdcdb010960, in=...) at ../../auth/gensec/gensec.c:449
#19 0x00007fdcea4b6ac9 in gensec_spnego_update_send (mem_ctx=0x7fdcdb092430, ev=0x7fdcdb075920, gensec_security=0x7fdcdb010a60, in=...) at ../../auth/gensec/spnego.c:1750
#20 0x00007fdcea4cac88 in gensec_update_send (mem_ctx=0x7fdcdb093cb0, ev=0x7fdcdb075920, gensec_security=0x7fdcdb010a60, in=...) at ../../auth/gensec/gensec.c:449
#21 0x00007fdcecda2153 in cli_session_setup_gensec_local_next (req=0x7fdcdb093b00) at ../../source3/libsmb/cliconnect.c:996
#22 0x00007fdcecda207c in cli_session_setup_gensec_send (mem_ctx=0x7fdcdb0935b0, ev=0x7fdcdb075920, cli=0x7fdcdb0760a0, creds=0x7fdcdb062260, target_service=0x7fdcecdf7386 "cifs", target_hostname=0x7fdcdb0cbd60 "WIN-JIE7G4JU4L2.ztest.ad") at ../../source3/libsmb/cliconnect.c:976
#23 0x00007fdcecda2f7b in cli_session_setup_spnego_send (mem_ctx=0x7fdcdb0920b0, ev=0x7fdcdb075920, cli=0x7fdcdb0760a0, creds=0x7fdcdb062260) at ../../source3/libsmb/cliconnect.c:1345
#24 0x00007fdcecda3462 in cli_session_setup_creds_send (mem_ctx=0x7fdcdb075920, ev=0x7fdcdb075920, cli=0x7fdcdb0760a0, creds=0x7fdcdb062260) at ../../source3/libsmb/cliconnect.c:1504
#25 0x00007fdcecda4423 in cli_session_setup_creds (cli=0x7fdcdb0760a0, creds=0x7fdcdb062260) at ../../source3/libsmb/cliconnect.c:1842
#26 0x000055d176cdab41 in cm_prepare_connection (domain=0x7fdcdb042260, sockfd=23, controller=0x7fdcdb0d00e0 "WIN-JIE7G4JU4L2.ztest.ad", cli=0x7fdcdb0423a0, retry=0x7fff027819e1) at ../../source3/winbindd/winbindd_cm.c:1164
#27 0x000055d176cdd3ba in cm_open_connection (domain=0x7fdcdb042260, new_conn=0x7fdcdb0423a0, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:1993
#28 0x000055d176cddb09 in init_dc_connection_network (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2203
#29 0x000055d176cddba6 in init_dc_connection (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2223
#30 0x000055d176cddbcb in init_dc_connection_rpc (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2230
#31 0x000055d176ce130f in cm_connect_netlogon (domain=0x7fdcdb042260, cli=0x7fff02781b80) at ../../source3/winbindd/winbindd_cm.c:3421
#32 0x000055d176cf92a3 in _wbint_PingDc (p=0x7fff02781d50, r=0x7fdcdb0c88f0) at ../../source3/winbindd/winbindd_dual_srv.c:817
#33 0x000055d176d6a21a in api_wbint_PingDc (p=0x7fff02781d50) at librpc/gen_ndr/srv_winbind.c:1579

Notice that in the frame #26 it already selected "good" DC WIN-JIE7G4JU4L2, but then sends kerberos request again to the old DC WIN-EJ7MV1SFC5N that is down.

Only ~4.5 min later, at 11:41:32 winbindd resumes, but complains that it failed to prepare SMB connection to WIN-JIE7G4JU4L2, although WIN-JIE7G4JU4L2 up.

If in get_trust_credentials() I explicitly require not to use kerberos (call cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS) there), winbind is stuck for 20-30 sec (in stages 1. and 2.) but then succesfully switches to the 2nd DC using NTLM.

Attached is log.wb-ZTEST with debug level 10.