From: Dina_Fine@Dell.com To: samba-technical@lists.samba.org Subject: winbind_krb5_locator bug when the Domain Controller has multiple network IPs (smb3.5.8) Hello It seems the winbind_krb5_locator doesn't function correctly when the Domain Controller has multiple network IPs and some of IPs are not reachable from the samba server system. The reason seems to be that only the winbind_krb5_locator uses the WBC_LOOKUP_DC_IP_REQUIRED flag for dsgetdcname request. All other flows (like join domain) use only the DNS name and then resolve the name->IP in a smart way (taking an IP which responds to ldap request). P.S. We have a customer environment where this bug actually takes place. Sometimes the net join fails and sometime net ads testjoin fails due to Kerberos error: Cannot contact any KDC for requested realm Debugging the winbind_krb5_locator showed it replies with incorrect IP for the Kerberos Domain Controller request which leads to Kerberos error.
Created attachment 7502 [details] git-am fix for 3.5.next Back port of what went into master and confirmed fixed by the reporter.
Comment on attachment 7502 [details] git-am fix for 3.5.next This patch also applies cleanly to 3.6.x, so is suitable for both 3.5.x and 3.6.x.
Comment on attachment 7502 [details] git-am fix for 3.5.next looks good
Assigning to Karolin for inclusion into 3.5 and 3.6 release branch
Pushed to v3-5-test and v3-6-test. Closing out bug report. Thanks!