I noticed this bug while researching symptoms similar to yours. However, while during logon we occasionally hit the external DC, it reponds quickly in our case. In the end, I found out the delays were caused by time sync issues resulting in the client having to request service tickets for the LDAP queries to the DC's multiple times which in return resulted in an extremely high number of DNS queries.
The total number of DNS lookups for a single logon + homedir mount runs into the hundreds because each time all service records are queried again. It also turned out that every now and than a query would not be answered, resulting in timeouts. The cumulative DNS timeouts (10-30 timeouts for a single logon session) caused most of the delays. What does not help here is that Ubuntu uses dnsmasq, but has its resolver cache disabled. (windows clients do have resolver caches and need them) In the end I did three quick fixes pending further investigation: - I defined my domain controllers as NTP servers in ntp.conf - I hard coded the DC's in krb5.conf, reducing the number of service records lookups needed to fild the KDC for the realm; - I installed a pdns resolver listening on 127.0.0.3 and configured it to forwarded all queries to the DC's (the disabling of the cache in dnsmasq turned out to be hard-coded by Ubuntu and I didn't wanted to touch that) winbind and kerberos is a fragile thing...... -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1159715 Title: winbind_krb5_locator plugin is missing from winbind 3.6.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1159715/+subscriptions -- Ubuntu-server-bugs mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
