winbind_krb5_locator plugin is missing from winbind 3.6.3

Bug #1159715 reported by roelof van der kleij
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba (Debian)
Fix Released
Unknown
samba (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

I noticed the winbind_krb5_locator.so kerberos plugin is missing from the samba package. Since I could not find any mention of why it is not included, I report it as a bug.

We are using winbind to authenticate against a microsoft AD, but use kerberised NFS4 for the home directories. While winbind is site aware, MIT kerberos is not without this plugin so nfsv4 mounts result in service ticket requests outside of the site.

We are using Ubuntu 12.04 LTS and winbind 3.6.3-2ubuntu2.4

affects: util-linux (Ubuntu) → samba (Ubuntu)
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Based on the build logs, it looks like this file is being built but is not added to the binary package. I can't get to Debian's build log at the moment, but the file is also missing from the samba package there, so it seems likely that it's the same issue there.

This bug should probably be verified on Debian and filed there too.

Changed in samba (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Changed in samba (Debian):
status: Unknown → New
Revision history for this message
styro (anton-list) wrote :

I suspect I'm seeing the results of this on some 12.04 virtual servers. The strange thing is that I'm pretty sure we've had 12.04 servers work properly in the past. I've tried it with both 3.6.3-2ubuntu2.6 and 3.6.3-2ubuntu2.

We've been getting console errors about either uncontactable KDCs or clock skew being too great when logging in via SSH with GSSAPI, or when using sudo. The logins and sudo take a long time to happen - even local unix accounts are held up. After logging in there is no kerberos ticket cache.

Manually using kinit authenticates successfully though and will create a ticket cache. So non-winbind vanilla kerberos stuff isn't affected.

The clock skew errors will even happen straight after an ntpdate update from the AD domain controller. I suspect this is erroneous and just a symptom related to not finding our domain controller.

The things that make me suspect it's related to this bug report are:

1) kerberos only fails to find the DC when being initiated via winbind, and
2) winbind seems to start behaving properly when we hard code our domain controller/KDC into /etc/krb5.conf

Revision history for this message
roelof van der kleij (r-g-van-der-kleij) wrote :

I noticed this bug while researching symptoms similar to yours. However, while during logon we occasionally hit the external DC, it reponds quickly in our case. In the end, I found out the delays were caused by time sync issues resulting in the client having to request service tickets for the LDAP queries to the DC's multiple times which in return resulted in an extremely high number of DNS queries.

The total number of DNS lookups for a single logon + homedir mount runs into the hundreds because each time all service records are queried again. It also turned out that every now and than a query would not be answered, resulting in timeouts. The cumulative DNS timeouts (10-30 timeouts for a single logon session) caused most of the delays.

What does not help here is that Ubuntu uses dnsmasq, but has its resolver cache disabled. (windows clients do have resolver caches and need them)

In the end I did three quick fixes pending further investigation:
- I defined my domain controllers as NTP servers in ntp.conf
- I hard coded the DC's in krb5.conf, reducing the number of service records lookups needed to fild the KDC for the realm;
- I installed a pdns resolver listening on 127.0.0.3 and configured it to forwarded all queries to the DC's (the disabling of the cache in dnsmasq turned out to be hard-coded by Ubuntu and I didn't wanted to touch that)

winbind and kerberos is a fragile thing......

Changed in samba (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.