Bug 14554 - winbind hangs when one of the DCs goes down
Summary: winbind hangs when one of the DCs goes down
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.12.6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-27 12:41 UTC by Lev
Modified: 2020-10-27 13:11 UTC (History)
1 user (show)

See Also:


Attachments
winbindd logs (123.60 KB, text/plain)
2020-10-27 12:41 UTC, Lev
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Lev 2020-10-27 12:41:47 UTC
Created attachment 16312 [details]
winbindd logs

There are two DC servers: WIN-EJ7MV1SFC5N (10.20.88.51) and WIN-JIE7G4JU4L2 (10.20.90.85). When AD DC services on WIN-EJ7MV1SFC5N are stopped (stop "Active Directory Domain Services" in services.msc), winbind is stuck instead of switching to the other available DC, wbinfo fails on timeout:

$ wbinfo -P ZTEST
checking the NETLOGON for domain[ZTEST] dc connection to "WIN-EJ7MV1SFC5N.ztest.ad" succeeded

$ date; time wbinfo -P ZTEST
Tue Oct 27 11:36:49 UTC 2020
checking the NETLOGON for domain[ZTEST] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE

real    1m4.626s
user    0m0.014s
sys     0m0.004s

As far as I can see there are 3 stages in winbindd trying to access DC services that are down:

1. During ~14sec till 11:37:03 winbindd sends UDP requests to the port 389 (LDAP):

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 172.29.224.119:58599    10.20.88.51:389         ESTABLISHED 23765/winbindd: dom 

Thread 1 (Thread 0x7fdcdba01b40 (LWP 23765)):
#0  0x00007fdce9089b77 in epoll_wait () from target:/lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fdcf07c8815 in epoll_event_loop (epoll_ev=0x7fdcdb02d020, tvalp=0x7fff02781240) at ../../lib/tevent/tevent_epoll.c:650
#2  0x00007fdcf07c91cf in epoll_event_loop_once (ev=0x7fdcdb075920, location=0x7fdcf07c9ab0 "../../lib/tevent/tevent_req.c:300") at ../../lib/tevent/tevent_epoll.c:937
#3  0x00007fdcf07c5931 in std_event_loop_once (ev=0x7fdcdb075920, location=0x7fdcf07c9ab0 "../../lib/tevent/tevent_req.c:300") at ../../lib/tevent/tevent_standard.c:110
#4  0x00007fdcf07bd2a4 in _tevent_loop_once (ev=0x7fdcdb075920, location=0x7fdcf07c9ab0 "../../lib/tevent/tevent_req.c:300") at ../../lib/tevent/tevent.c:772
#5  0x00007fdcf07bfd40 in tevent_req_poll (req=0x7fdcdb091f00, ev=0x7fdcdb075920) at ../../lib/tevent/tevent_req.c:300
#6  0x00007fdcf17b4acf in tevent_req_poll_ntstatus (req=0x7fdcdb091f00, ev=0x7fdcdb075920, status=0x7fff02781394) at ../../lib/util/tevent_ntstatus.c:109
#7  0x00007fdcec30ba76 in cldap_multi_netlogon (mem_ctx=0x7fdcdb07d680, servers=0x7fff02781420, num_servers=1, domain=0x7fdcdb016390 "ztest.ad", hostname=0x0, ntversion=6, min_servers=1, timeout=..., responses=0x7fff02781428) at ../../source3/libads/cldap.c:348
#8  0x00007fdcec30bc71 in ads_cldap_netlogon (mem_ctx=0x7fdcdb07d680, ss=0x7fff02781690, realm=0x7fdcdb016390 "ztest.ad", nt_version=6, _reply=0x7fff027814d0) at ../../source3/libads/cldap.c:389
#9  0x00007fdcec30be14 in ads_cldap_netlogon_5 (mem_ctx=0x7fdcdb07d680, ss=0x7fff02781690, realm=0x7fdcdb016390 "ztest.ad", reply5=0x7fff02781530) at ../../source3/libads/cldap.c:423
#10 0x00007fdcf036fa7c in ads_try_connect (ads=0x7fdcdb089a80, gc=false, ss=0x7fff02781690) at ../../source3/libads/ldap.c:259
#11 0x00007fdcf0370b49 in ads_connect (ads=0x7fdcdb089a80) at ../../source3/libads/ldap.c:605
#12 0x000055d176cdb821 in dcip_check_name (mem_ctx=0x7fdcdb07d6e0, domain=0x7fdcdb042260, pss=0x7fff02781a10, name=0x7fff027819f8, request_flags=0) at ../../source3/winbindd/winbindd_cm.c:1431
#13 0x000055d176cdcfec in cm_open_connection (domain=0x7fdcdb042260, new_conn=0x7fdcdb0423a0, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:1932
#14 0x000055d176cddb09 in init_dc_connection_network (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2203
#15 0x000055d176cddba6 in init_dc_connection (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2223
#16 0x000055d176cddbcb in init_dc_connection_rpc (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2230
#17 0x000055d176ce130f in cm_connect_netlogon (domain=0x7fdcdb042260, cli=0x7fff02781b80) at ../../source3/winbindd/winbindd_cm.c:3421
#18 0x000055d176cf92a3 in _wbint_PingDc (p=0x7fff02781d50, r=0x7fdcdb0c88f0) at ../../source3/winbindd/winbindd_dual_srv.c:817
#19 0x000055d176d6a21a in api_wbint_PingDc (p=0x7fff02781d50) at librpc/gen_ndr/srv_winbind.c:1579

2. Then during ~6sec till 11:37:09 winbindd sends UDP requests to the port 53 (DNS) (but in some my tests it took up to ~20sec):

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 172.29.224.119:35435    10.20.88.51:53          ESTABLISHED 23765/winbindd: dom 

Thread 1 (Thread 0x7fdcdba01b40 (LWP 23765)):
#0  0x00007fdce9089b77 in epoll_wait () from target:/lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fdcf07c8815 in epoll_event_loop (epoll_ev=0x7fdcdb02d200, tvalp=0x7fff02780dd0) at ../../lib/tevent/tevent_epoll.c:650
#2  0x00007fdcf07c91cf in epoll_event_loop_once (ev=0x7fdcdb0760a0, location=0x7fdcf07c9ab0 "../../lib/tevent/tevent_req.c:300") at ../../lib/tevent/tevent_epoll.c:937
#3  0x00007fdcf07c5931 in std_event_loop_once (ev=0x7fdcdb0760a0, location=0x7fdcf07c9ab0 "../../lib/tevent/tevent_req.c:300") at ../../lib/tevent/tevent_standard.c:110
#4  0x00007fdcf07bd2a4 in _tevent_loop_once (ev=0x7fdcdb0760a0, location=0x7fdcf07c9ab0 "../../lib/tevent/tevent_req.c:300") at ../../lib/tevent/tevent.c:772
#5  0x00007fdcf07bfd40 in tevent_req_poll (req=0x7fdcdb091f00, ev=0x7fdcdb0760a0) at ../../lib/tevent/tevent_req.c:300
#6  0x00007fdcf17b4acf in tevent_req_poll_ntstatus (req=0x7fdcdb091f00, ev=0x7fdcdb0760a0, status=0x7fff02780f1c) at ../../lib/util/tevent_ntstatus.c:109
#7  0x00007fdce4c9bb9f in ads_dns_lookup_srv (ctx=0x7fdcdb07d800, name=0x7fdcdb11e0c0 "_kerberos._tcp.dc._msdcs.ztest.ad", dclist=0x7fff02781068, numdcs=0x7fff02780f9c) at ../../lib/addns/dnsquery.c:218
#8  0x00007fdce4c9c4ad in ads_dns_query_internal (ctx=0x7fdcdb07d800, servicename=0x7fdce4ca0f40 "_kerberos", dc_pdc_gc_domains=0x7fdce4ca0f34 "dc", realm=0x7fdcdb0ccd90 "ztest.ad", sitename=0x0, dclist=0x7fff02781068, numdcs=0x7fff02781058) at ../../lib/addns/dnsquery.c:418
#9  0x00007fdce4c9c5e3 in ads_dns_query_kdcs (ctx=0x7fdcdb07d800, dns_forest_name=0x7fdcdb0ccd90 "ztest.ad", sitename=0x0, dclist=0x7fff02781068, numdcs=0x7fff02781058) at ../../lib/addns/dnsquery.c:483
#10 0x00007fdcec31ad03 in resolve_ads (name=0x7fdcdb0ccd90 "ztest.ad", name_type=56540, sitename=0x0, return_iplist=0x7fff02781250, return_count=0x7fff0278122c) at ../../source3/libsmb/namequery.c:2427
#11 0x00007fdcec31ba2f in internal_resolve_name (name=0x7fdcdb0ccd90 "ztest.ad", name_type=56540, sitename=0x0, return_iplist=0x7fff02781250, return_count=0x7fff0278122c, resolve_order=0x7fdcdb0cd180) at ../../source3/libsmb/namequery.c:2695
#12 0x00007fdcec31d0df in get_dc_list (domain=0x7fdcdb0ccd90 "ztest.ad", sitename=0x0, ip_list=0x7fff027813f8, count=0x7fff027813e4, lookup_type=DC_KDC_ONLY, ordered=0x7fff027813a3) at ../../source3/libsmb/namequery.c:3138
#13 0x00007fdcec31dd3f in get_kdc_list (realm=0x7fdcdb0ccd90 "ztest.ad", sitename=0x0, ip_list=0x7fff027813f8, count=0x7fff027813e4) at ../../source3/libsmb/namequery.c:3368
#14 0x00007fdcec309415 in get_kdc_ip_string (mem_ctx=0x7fdcdb0cbfe0 "/var/lock/samba/smb_krb5", realm=0x7fdcdb0ccd90 "ztest.ad", sitename=0x7fdcdb0d00e0 "Default-First-Site-Name", pss=0x7fdcdb089bb0) at ../../source3/libads/kerberos.c:457
#15 0x00007fdcec309e53 in create_local_private_krb5_conf_for_domain (realm=0x7fdcdb0ccd90 "ztest.ad", domain=0x7fdcdb0ccc40 "ZTEST", sitename=0x7fdcdb0d00e0 "Default-First-Site-Name", pss=0x7fdcdb089bb0) at ../../source3/libads/kerberos.c:698
#16 0x00007fdcf038c1f2 in ads_dc_name (domain=0x7fdcdb0ccc40 "ZTEST", realm=0x7fdcdb0ccd90 "ztest.ad", dc_ss=0x7fff02781630, srv_name=0x7fff027817d0 "\377\377\377\377\334\177") at ../../source3/libsmb/namequery_dc.c:113
#17 0x00007fdcf038c97d in get_dc_name (domain=0x7fdcdb0ccc40 "ZTEST", realm=0x7fdcdb0ccd90 "ztest.ad", srv_name=0x7fff027817d0 "\377\377\377\377\334\177", ss_out=0x7fff02781720) at ../../source3/libsmb/namequery_dc.c:240
#18 0x000055d176cdbed6 in get_dcs (mem_ctx=0x7fdcdb07d6e0, domain=0x7fdcdb042260, dcs=0x7fff02781938, num_dcs=0x7fff02781928, request_flags=0) at ../../source3/winbindd/winbindd_cm.c:1572
#19 0x000055d176cdc39b in find_new_dc (mem_ctx=0x7fdcdb07d6e0, domain=0x7fdcdb042260, dcname=0x7fff027819f8, pss=0x7fdcdb042310, fd=0x7fff027819e8, request_flags=0) at ../../source3/winbindd/winbindd_cm.c:1686
#20 0x000055d176cdd2f2 in cm_open_connection (domain=0x7fdcdb042260, new_conn=0x7fdcdb0423a0, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:1972
#21 0x000055d176cddb09 in init_dc_connection_network (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2203
#22 0x000055d176cddba6 in init_dc_connection (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2223
#23 0x000055d176cddbcb in init_dc_connection_rpc (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2230
#24 0x000055d176ce130f in cm_connect_netlogon (domain=0x7fdcdb042260, cli=0x7fff02781b80) at ../../source3/winbindd/winbindd_cm.c:3421
#25 0x000055d176cf92a3 in _wbint_PingDc (p=0x7fff02781d50, r=0x7fdcdb0c88f0) at ../../source3/winbindd/winbindd_dual_srv.c:817
#26 0x000055d176d6a21a in api_wbint_PingDc (p=0x7fff02781d50) at librpc/gen_ndr/srv_winbind.c:1579

3. And finally winbind tries to connect to port 88 (kerberos) and connection is stuck in a state SYN_SENT:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      1 172.29.224.119:37789    10.20.88.51:88          SYN_SENT    23765/winbindd: dom 
tcp        0      0 172.29.224.119:55235    10.20.90.85:445         ESTABLISHED 23765/winbindd: dom 

Thread 1 (Thread 0x7fdcdba01b40 (LWP 23765)):
#0  0x00007fdce908a8b4 in connect () from target:/lib/x86_64-linux-gnu/libc.so.6
#1  0x00007fdcf22d58c7 in libc_connect (sockfd=25, addr=0x7fdcdb060e30, addrlen=16) at libzsocket/libzsocket.c:168
#2  0x00007fdcf22d6b4f in connect (sockfd=25, addr=0x7fdcdb060e30, addrlen=16) at libzsocket/libzsocket.c:330
#3  0x00007fdced281465 in krb5_sendto (context=0x7fdcdb076180, send_data=0x7fff027807e0, handle=0x7fdcdb060dc0, receive=0x7fff027807f0) at ../../source4/heimdal/lib/krb5/send_to_kdc.c:422
#4  0x00007fdced281a9d in krb5_sendto_context (context=0x7fdcdb076180, ctx=0x7fdcdb0c97a0, send_data=0x7fff027807e0, realm=0x7fdcdb0164a0 "ZTEST.AD", receive=0x7fff027807f0) at ../../source4/heimdal/lib/krb5/send_to_kdc.c:626
#5  0x00007fdced25844a in get_cred_kdc (context=0x7fdcdb076180, id=0x7fdcdb0c9940, flags=..., addresses=0x0, in_creds=0x7fff02780cd0, krbtgt=0x7fff02780c40, impersonate_principal=0x0, second_ticket=0x0, out_creds=0x7fff02780d60) at ../../source4/heimdal/lib/krb5/get_cred.c:521
#6  0x00007fdced258850 in get_cred_kdc_address (context=0x7fdcdb076180, id=0x7fdcdb0c9940, flags=..., addrs=0x0, in_creds=0x7fff02780cd0, krbtgt=0x7fff02780c40, impersonate_principal=0x0, second_ticket=0x0, out_creds=0x7fff02780d60) at ../../source4/heimdal/lib/krb5/get_cred.c:629
#7  0x00007fdced259a03 in get_cred_kdc_referral (context=0x7fdcdb076180, flags=..., ccache=0x7fdcdb0c9940, in_creds=0x7fff02781040, impersonate_principal=0x0, second_ticket=0x0, out_creds=0x7fdcdb0d0930, ret_tgts=0x7fff02780f78) at ../../source4/heimdal/lib/krb5/get_cred.c:998
#8  0x00007fdced259ea4 in _krb5_get_cred_kdc_any (context=0x7fdcdb076180, flags=..., ccache=0x7fdcdb0c9940, in_creds=0x7fff02781040, impersonate_principal=0x0, second_ticket=0x0, out_creds=0x7fdcdb0d0930, ret_tgts=0x7fff02780f78) at ../../source4/heimdal/lib/krb5/get_cred.c:1103
#9  0x00007fdced25a13f in krb5_get_credentials_with_flags (context=0x7fdcdb076180, options=0, flags=..., ccache=0x7fdcdb0c9940, in_creds=0x7fff02781040, out_creds=0x7fdcdb0d0930) at ../../source4/heimdal/lib/krb5/get_cred.c:1198
#10 0x00007fdced25a254 in krb5_get_credentials (context=0x7fdcdb076180, options=0, ccache=0x7fdcdb0c9940, in_creds=0x7fff02781040, out_creds=0x7fdcdb0d0930) at ../../source4/heimdal/lib/krb5/get_cred.c:1219
#11 0x00007fdce67f1b1c in gsskrb5_get_creds (minor_status=0x7fff027813fc, context=0x7fdcdb076180, ccache=0x7fdcdb0c9940, ctx=0x7fdcdb0d0900, target_name=0x7fdcdb0c9480, use_dns=0, time_req=0, time_rec=0x7fff02781404) at ../../source4/heimdal/lib/gssapi/krb5/init_sec_context.c:248
#12 0x00007fdce67f21b1 in init_auth (minor_status=0x7fff027813fc, cred=0x7fdcdb060f00, ctx=0x7fdcdb0d0900, context=0x7fdcdb076180, name=0x7fdcdb0c9480, mech_type=0x7fdcdb080db8, req_flags=32814, time_req=0, input_token=0x7fff02781450, actual_mech_type=0x0, output_token=0x7fff02781460, ret_flags=0x7fdcdb080d7c, time_rec=0x7fff02781404) at ../../source4/heimdal/lib/gssapi/krb5/init_sec_context.c:457
#13 0x00007fdce67f3175 in _gsskrb5_init_sec_context (minor_status=0x7fff027813fc, cred_handle=0x7fdcdb060f00, context_handle=0x7fdcdb016238, target_name=0x7fdcdb0c9480, mech_type=0x7fdcdb080db8, req_flags=32814, time_req=0, input_chan_bindings=0x0, input_token=0x7fff02781450, actual_mech_type=0x0, output_token=0x7fff02781460, ret_flags=0x7fdcdb080d7c, time_rec=0x7fff02781404) at ../../source4/heimdal/lib/gssapi/krb5/init_sec_context.c:944
#14 0x00007fdce680d654 in gss_init_sec_context (minor_status=0x7fff027813fc, initiator_cred_handle=0x7fdcdb0610d0, context_handle=0x7fdcdb080d60, target_name=0x7fdcdb00ed90, input_mech_type=0x7fdcdb080db8, req_flags=32814, time_req=0, input_chan_bindings=0x0, input_token=0x7fff02781450, actual_mech_type=0x0, output_token=0x7fff02781460, ret_flags=0x7fdcdb080d7c, time_rec=0x7fff02781404) at ../../source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c:187
#15 0x00007fdcec306183 in gse_get_client_auth_token (mem_ctx=0x7fdcdb092b30, gensec_security=0x7fdcdb010960, token_in=0x7fff027814d0, token_out=0x7fdcdb092b38) at ../../source3/librpc/crypto/gse.c:487
#16 0x00007fdcec307143 in gensec_gse_update_internal (gensec_security=0x7fdcdb010960, mem_ctx=0x7fdcdb092b30, in=..., out=0x7fdcdb092b38) at ../../source3/librpc/crypto/gse.c:879
#17 0x00007fdcec307052 in gensec_gse_update_send (mem_ctx=0x7fdcdb0927b0, ev=0x7fdcdb075920, gensec_security=0x7fdcdb010960, in=...) at ../../source3/librpc/crypto/gse.c:854
#18 0x00007fdcea4cac88 in gensec_update_send (mem_ctx=0x7fdcdb128230, ev=0x7fdcdb075920, gensec_security=0x7fdcdb010960, in=...) at ../../auth/gensec/gensec.c:449
#19 0x00007fdcea4b6ac9 in gensec_spnego_update_send (mem_ctx=0x7fdcdb092430, ev=0x7fdcdb075920, gensec_security=0x7fdcdb010a60, in=...) at ../../auth/gensec/spnego.c:1750
#20 0x00007fdcea4cac88 in gensec_update_send (mem_ctx=0x7fdcdb093cb0, ev=0x7fdcdb075920, gensec_security=0x7fdcdb010a60, in=...) at ../../auth/gensec/gensec.c:449
#21 0x00007fdcecda2153 in cli_session_setup_gensec_local_next (req=0x7fdcdb093b00) at ../../source3/libsmb/cliconnect.c:996
#22 0x00007fdcecda207c in cli_session_setup_gensec_send (mem_ctx=0x7fdcdb0935b0, ev=0x7fdcdb075920, cli=0x7fdcdb0760a0, creds=0x7fdcdb062260, target_service=0x7fdcecdf7386 "cifs", target_hostname=0x7fdcdb0cbd60 "WIN-JIE7G4JU4L2.ztest.ad") at ../../source3/libsmb/cliconnect.c:976
#23 0x00007fdcecda2f7b in cli_session_setup_spnego_send (mem_ctx=0x7fdcdb0920b0, ev=0x7fdcdb075920, cli=0x7fdcdb0760a0, creds=0x7fdcdb062260) at ../../source3/libsmb/cliconnect.c:1345
#24 0x00007fdcecda3462 in cli_session_setup_creds_send (mem_ctx=0x7fdcdb075920, ev=0x7fdcdb075920, cli=0x7fdcdb0760a0, creds=0x7fdcdb062260) at ../../source3/libsmb/cliconnect.c:1504
#25 0x00007fdcecda4423 in cli_session_setup_creds (cli=0x7fdcdb0760a0, creds=0x7fdcdb062260) at ../../source3/libsmb/cliconnect.c:1842
#26 0x000055d176cdab41 in cm_prepare_connection (domain=0x7fdcdb042260, sockfd=23, controller=0x7fdcdb0d00e0 "WIN-JIE7G4JU4L2.ztest.ad", cli=0x7fdcdb0423a0, retry=0x7fff027819e1) at ../../source3/winbindd/winbindd_cm.c:1164
#27 0x000055d176cdd3ba in cm_open_connection (domain=0x7fdcdb042260, new_conn=0x7fdcdb0423a0, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:1993
#28 0x000055d176cddb09 in init_dc_connection_network (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2203
#29 0x000055d176cddba6 in init_dc_connection (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2223
#30 0x000055d176cddbcb in init_dc_connection_rpc (domain=0x7fdcdb042260, need_rw_dc=false) at ../../source3/winbindd/winbindd_cm.c:2230
#31 0x000055d176ce130f in cm_connect_netlogon (domain=0x7fdcdb042260, cli=0x7fff02781b80) at ../../source3/winbindd/winbindd_cm.c:3421
#32 0x000055d176cf92a3 in _wbint_PingDc (p=0x7fff02781d50, r=0x7fdcdb0c88f0) at ../../source3/winbindd/winbindd_dual_srv.c:817
#33 0x000055d176d6a21a in api_wbint_PingDc (p=0x7fff02781d50) at librpc/gen_ndr/srv_winbind.c:1579

Notice that in the frame #26 it already selected "good" DC WIN-JIE7G4JU4L2, but then sends kerberos request again to the old DC WIN-EJ7MV1SFC5N that is down.

Only ~4.5 min later, at 11:41:32 winbindd resumes, but complains that it failed to prepare SMB connection to WIN-JIE7G4JU4L2, although WIN-JIE7G4JU4L2 up.

If in get_trust_credentials() I explicitly require not to use kerberos (call cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS) there), winbind is stuck for 20-30 sec (in stages 1. and 2.) but then succesfully switches to the 2nd DC using NTLM.

Attached is log.wb-ZTEST with debug level 10.