I believe that it only affects Active Directory membership and when using Kerberos. I also believe it was an oversight as a few lines before, the debug output says it is going to do one thing, but in the actual function call, it uses a different variable. By changing the variable to what the debug output specifies, Samba correctly guesses the SPN for the DCs and there seems to be a large speed-up in reconnection after the DCs close the connections. The change is as follows: --- winbindd/winbindd_cm.c.orig 2009-08-30 07:56:54.000000000 -0600 +++ winbindd/winbindd_cm.c 2009-08-28 12:01:44.000000000 -0600 @@ -836,7 +836,7 @@ machine_krb5_principal, machine_password, lp_workgroup(), - domain->name); + domain->alt_name); if (!ADS_ERR_OK(ads_status)) { DEBUG(4,("failed kerberos session setup with %s\n", Very small change, 7 lines above is the debug message outputing domain->alt_name instead of domain->name. This sends DOMAIN.LOCAL to cli_session_setup_spnego instead of DOMAIN which is used to construct the SPN of DC1$@DOMAIN.LOCAL (which is valid) instead of DC1$@DOMAIN (which is invalid). Again, I'm not sure what change that would have on anything else, but it seems important for Kerberos to work correctly. The patch seems to work for Samba 3.2.x and 3.3.x, but hasn't been extensively tested on all versions.
Great catch! Applied your patch to master, thanks!
Created attachment 4666 [details] git format-patch version Jeremy, I think we should have this one also in 3.4 (and 3.3)
+1. This is an obvious typo with a large effect. Karolin, I think this one should be in 3.4.1 (and 3.3.x as well - probably the 3.2.x tree if you're feeling generous :-). Jeremy.
Pushed to v3-3-test and v3-4-test. 3.2 is security fixes only. Closing out bug report. Thanks!