[Bug 1159715] Re: winbind_krb5_locator plugin is missing from winbind 3.6.3
roelof van der kleij
1159715 at bugs.launchpad.net
Fri May 17 08:09:33 UTC 2013
I noticed this bug while researching symptoms similar to yours. However,
while during logon we occasionally hit the external DC, it reponds
quickly in our case. In the end, I found out the delays were caused by
time sync issues resulting in the client having to request service
tickets for the LDAP queries to the DC's multiple times which in return
resulted in an extremely high number of DNS queries.
The total number of DNS lookups for a single logon + homedir mount runs
into the hundreds because each time all service records are queried
again. It also turned out that every now and than a query would not be
answered, resulting in timeouts. The cumulative DNS timeouts (10-30
timeouts for a single logon session) caused most of the delays.
What does not help here is that Ubuntu uses dnsmasq, but has its
resolver cache disabled. (windows clients do have resolver caches and
need them)
In the end I did three quick fixes pending further investigation:
- I defined my domain controllers as NTP servers in ntp.conf
- I hard coded the DC's in krb5.conf, reducing the number of service records lookups needed to fild the KDC for the realm;
- I installed a pdns resolver listening on 127.0.0.3 and configured it to forwarded all queries to the DC's (the disabling of the cache in dnsmasq turned out to be hard-coded by Ubuntu and I didn't wanted to touch that)
winbind and kerberos is a fragile thing......
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1159715
Title:
winbind_krb5_locator plugin is missing from winbind 3.6.3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1159715/+subscriptions
More information about the Ubuntu-server-bugs
mailing list