On Mon, Nov 26, 2007 at 09:51:18AM +1300, Jason Haar wrote: > > If I do a "nslookup domain.AD" I get a listing of all our valid DC 10.* > addresses back - plus the unwanted 192.168 address - but it appears that > sometimes winbind decides that is the valid address, and won't try any > of the other addresses? And then you get the NT_STATUS_NO_LOGON_SERVERS > - as it isn't reachable. > > Here's some excepts from /var/log/samba/log.wb-DOMAIN > > > ads_find_dc: looking for realm 'domain.AD' > get_sorted_dc_list: attempting lookup for name domain.AD (sitename > NULL) using [ads] > sitename_fetch: Returning sitename for domain.AD: "correct-sitename" > name domain.AD#20 found > get_dc_list: negative entry domain.AD removed from DC list > get_dc_list: returning 1 ip addresses in an ordered list > get_dc_list: 192.168.234.235:389 > > > those last two lines imply why this problem occurs, but this problem > isn't being noticed within AD itself - I think Microsoft actually uses > ICMP pings to test DCs are reachable? Does Samba? Also, I have no idea > why it returns only one, invalid IP - nslookup shows this particular > domain has 13 domain controller IPs listed - including the one 192.168 one. > > Obviously to fix it I just have to whine at our AD people until they > clean out this bogus DC IP - but shouldn't Samba work its way around > this? As an added advantage, ping tests could even ensure Samba connects > to the closest DC by measuring the latency...?
We should notice this address is bad and add it to the negative connection cache once we fail to connect - we actually use a lot of techniques to ensure we don't get stuck on a bad DC (server affinity cache, negative connection cache etc.). Is there a chance you can get me a debug level 10 when you're running into this problem so I can see what is going on ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba