winbind_krb5_locator plugin is missing from winbind 3.6.3

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Based on the build logs, it looks like this file is being built but is not added to the binary package. I can't get to Debian's build log at the moment, but the file is also missing from the samba package there, so it seems likely that it's the same issue there.

This bug should probably be verified on Debian and filed there too.

I suspect I'm seeing the results of this on some 12.04 virtual servers. The strange thing is that I'm pretty sure we've had 12.04 servers work properly in the past. I've tried it with both 3.6.3-2ubuntu2.6 and 3.6.3-2ubuntu2.

We've been getting console errors about either uncontactable KDCs or clock skew being too great when logging in via SSH with GSSAPI, or when using sudo. The logins and sudo take a long time to happen - even local unix accounts are held up. After logging in there is no kerberos ticket cache.

Manually using kinit authenticates successfully though and will create a ticket cache. So non-winbind vanilla kerberos stuff isn't affected.

The clock skew errors will even happen straight after an ntpdate update from the AD domain controller. I suspect this is erroneous and just a symptom related to not finding our domain controller.

The things that make me suspect it's related to this bug report are:

1) kerberos only fails to find the DC when being initiated via winbind, and
2) winbind seems to start behaving properly when we hard code our domain controller/KDC into /etc/krb5.conf

I noticed this bug while researching symptoms similar to yours. However, while during logon we occasionally hit the external DC, it reponds quickly in our case. In the end, I found out the delays were caused by time sync issues resulting in the client having to request service tickets for the LDAP queries to the DC's multiple times which in return resulted in an extremely high number of DNS queries.

The total number of DNS lookups for a single logon + homedir mount runs into the hundreds because each time all service records are queried again. It also turned out that every now and than a query would not be answered, resulting in timeouts. The cumulative DNS timeouts (10-30 timeouts for a single logon session) caused most of the delays.

What does not help here is that Ubuntu uses dnsmasq, but has its resolver cache disabled. (windows clients do have resolver caches and need them)

In the end I did three quick fixes pending further investigation:
- I defined my domain controllers as NTP servers in ntp.conf
- I hard coded the DC's in krb5.conf, reducing the number of service records lookups needed to fild the KDC for the realm;
- I installed a pdns resolver listening on 127.0.0.3 and configured it to forwarded all queries to the DC's (the disabling of the cache in dnsmasq turned out to be hard-coded by Ubuntu and I didn't wanted to touch that)

winbind and kerberos is a fragile thing......