[Bug 1159715] Re: winbind_krb5_locator plugin is missing from winbind 3.6.3

roelof van der kleij 1159715 at bugs.launchpad.net
Fri May 17 08:09:33 UTC 2013 

I noticed this bug while researching symptoms similar to yours. However,
while during logon we occasionally hit the external DC, it reponds
quickly in our case. In the end, I found out the delays were caused by
time sync issues resulting in the client having to request service
tickets for the LDAP queries to the DC's multiple times which in return
resulted in an extremely high number of DNS queries.

The total number of DNS lookups for a single logon + homedir mount runs
into the hundreds because each time all service records are queried
again. It also turned out that every now and than a query would not be
answered, resulting in timeouts. The cumulative DNS timeouts (10-30
timeouts for a single logon session)  caused most of the delays.

What does not help here is that Ubuntu uses dnsmasq, but has its
resolver cache disabled.  (windows clients do have resolver caches and
need them)

In the end I did three quick fixes pending further investigation:
- I defined my domain controllers as NTP servers in ntp.conf
- I hard coded the DC's in krb5.conf, reducing the number of service records lookups needed to fild the KDC for the realm;
- I installed a pdns resolver listening on 127.0.0.3 and configured it to  forwarded all queries to the DC's (the disabling of the cache in dnsmasq turned out to be hard-coded by Ubuntu and I didn't wanted to touch that)

winbind and kerberos is a fragile thing......

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1159715

Title:
  winbind_krb5_locator plugin is missing from winbind 3.6.3

Status in “samba” package in Ubuntu:
  Triaged
Status in “samba” package in Debian:
  New

Bug description:
  I noticed the winbind_krb5_locator.so kerberos plugin is missing from
  the samba package. Since I  could not find any mention of why it is
  not included, I report it as a bug.

  We are using winbind to authenticate against a microsoft AD, but use
  kerberised NFS4 for the home directories. While winbind is site aware,
  MIT kerberos is not without this plugin so nfsv4 mounts result in
  service ticket requests outside of the site.

  
  We are using Ubuntu 12.04 LTS and winbind 3.6.3-2ubuntu2.4

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1159715/+subscriptions

More information about the foundations-bugs mailing list