From: Jeremy Allison on
On Mon, Nov 26, 2007 at 09:51:18AM +1300, Jason Haar wrote:
>
> If I do a "nslookup domain.AD" I get a listing of all our valid DC 10.*
> addresses back - plus the unwanted 192.168 address - but it appears that
> sometimes winbind decides that is the valid address, and won't try any
> of the other addresses? And then you get the NT_STATUS_NO_LOGON_SERVERS
> - as it isn't reachable.
>
> Here's some excepts from /var/log/samba/log.wb-DOMAIN
>
>
> ads_find_dc: looking for realm 'domain.AD'
> get_sorted_dc_list: attempting lookup for name domain.AD (sitename
> NULL) using [ads]
> sitename_fetch: Returning sitename for domain.AD: "correct-sitename"
> name domain.AD#20 found
> get_dc_list: negative entry domain.AD removed from DC list
> get_dc_list: returning 1 ip addresses in an ordered list
> get_dc_list: 192.168.234.235:389
>
>
> those last two lines imply why this problem occurs, but this problem
> isn't being noticed within AD itself - I think Microsoft actually uses
> ICMP pings to test DCs are reachable? Does Samba? Also, I have no idea
> why it returns only one, invalid IP - nslookup shows this particular
> domain has 13 domain controller IPs listed - including the one 192.168 one.
>
> Obviously to fix it I just have to whine at our AD people until they
> clean out this bogus DC IP - but shouldn't Samba work its way around
> this? As an added advantage, ping tests could even ensure Samba connects
> to the closest DC by measuring the latency...?

We should notice this address is bad and add it to the negative
connection cache once we fail to connect - we actually use a lot
of techniques to ensure we don't get stuck on a bad DC (server
affinity cache, negative connection cache etc.). Is there a
chance you can get me a debug level 10 when you're running into
this problem so I can see what is going on ?

Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba