Thanks for your response, Adam.
On Nov 20, 2009, at 12:51 AM, Adam Nielsen wrote:
password server = foo.bar.baz
Do you really need to specify a password server?<snip>
I don't know that it is necessary; I had a feeling it was cruft, but
I've tried both ways without any difference. I'll leave it out of the
config from now on.
Given that the error message reports it can't find the login server,
that would seem to indicate that either your DNS isn't set up properly
for the domain, the machine can't resolve it properly, or there's some
sort of firewall blocking some or all of the communication with the AD
servers.
General DNS is working. I've disabled iptables for all of these
tests, and there shouldn't be any firewall interruption between these
hosts. As far as I am told, the DNS for the domain is delegated to
the domain itself. Adding the DCs into resolv.conf explicitly doesn't
seem to change the behavior.
Can you run Wireshark/tcpdump while the problems are happening to see
where the box is trying to connect to, and if it's receiving any
responses?
I've done so. I see a few oddities, but nothing excruciatingly
obvious. I see a couple DNS requests for SRV _kerberos-
master._udp.FOO.BAR.BAZ coming back with "No such name" responses, but
I'm not sure if those are just resolution order normalities or not.
The LDAP saslbind seems fine. I see the request for the attributes on
the user going out, but only 3 of the requested 4 attribues come back
(gecos is missing). I also see a request go out for SRV
_ldap._tcp.dc._msdcs.* to DNS coming back with "No such name" responses.
One thing I notice is that the first time "wbinfo -i <user>" fails, it
takes a few seconds to do so. However, any further runs of the
command for some period of time (5 minutes in my approximation), it
fails instantly. Might just be expected caching behavior, but it
seemed like it might be relevant. It seems to be the same behavior I
experience trying to connect: The first time I try to connect (via a
Mac SMB client), it seems to time out. If I try immediately after, it
seems to work (for some value of work). Perhaps this is just the LDAP
bind occurring, though.
Any of that point to anything?
Thanks for your consideration,
--
Ryan Hardy <ryan.ha...@duke.edu>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
