Bug 3222 - smbclient failures with unreachable domain controller
Summary: smbclient failures with unreachable domain controller
Status: NEW
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Client Tools (show other bugs)
Version: 3.0.14a
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-28 09:03 UTC by Peter Fales
Modified: 2006-12-11 08:13 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Fales 2005-10-28 09:03:02 UTC
It seems likely that this problem has been already been addressed, but I didn't
find anything in a search.  My apologies if it's a duplicate.

We ran into a situation where Samba server that had been running for a long time
suddenly stopped allowing connections from Linux users, but it still worked for
Windows users. 

The smb.conf file contained:

   security=domain
   password server = SERVER1 SERVER2

The problems started when SERVER1 was taken off line, but still had an entry in
DNS.   It seems that Windows systems are able to fall back and use the second
server when the first one times out, but smbclient is not.  smbclient simply
reports an error after a 20 second delay.

This occurs even with smbclient 3.0.14a from Fedora Core 4.   The server is
older (2.0.4) but since windows clients are able to connect, I think (hope?)
that the problem can be fixed on the client side.   It's easier to change the
client than to get our IT organization to make changes to the server.
Comment 1 Jeremy Allison 2005-10-28 12:51:18 UTC
What exactly is happening here ? The clients aren't doing the authentication for
the server... I don't understand this report.
Jeremy.
Comment 2 Peter Fales 2005-10-28 14:10:24 UTC
Maybe I haven't characterized the problem accurately, but that's the way our
Samba guru described it to me and the symptoms are quite clear and reproducable.

SERVER1 is a host which has entry in DNS, but is not on line.   SERVER2 is a
valid windows DOMAIN controller.  When the line in smb.conf is:

  password server = SERVER1 SERVER2 

and smbclient tries to connect, the result printed to the console is:

  error '10971 ... server did not respond after 20000 milliseconds'.

and the messsage that shows up in the samba server log is

  [2005/10/25 16:31:32, 0] smbd/password.c:(1266)
          domain_client_validate: unable to connect to SMB server on machine
        SERVER1. Error was : code 0.

When the smb.conf line is changed to:

   password server = SERVER2

then everything is fine.

Despite this server mis-configuration, windows clients are still able to connect
to it.
Comment 3 Bettina van der Werf 2006-10-09 02:52:33 UTC
I have a similar problem.

'm running Samba 3.0.23c on Solaris 10. I have specified DOMAIN security and 2 password servers in smb.conf - SERVER1 and SERVER2. If SERVER1 goes down then SERVER2 is used for password authentication. However, when SERVER1 comes back on line it isn't used for authentication again unless the winbind daemon is restarted.

Has anyone else had this problem and/or know of a fix for it?

Many thanks!
Comment 4 James R Grinter (mail bounces back) 2006-12-11 08:13:11 UTC
I think this is a situation that you can recreate by stopping the NETLOGON service on a DC. 

The server remains up, it responds to netbios lookups (Samba's method of checking for availability), and it remains in the DNS list of DCs. It just doesn't respond to netlogon requests so Samba fails to authenticate the user.