[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

[Ole Traupe]

>>
> Ole,
>
>     I was trying to look back through your posts so excuse me if you 
> have answered this. What was your original krb.conf file contents? A 
> few things that may work is to specify the kdc and not rely on dns. 
> for instance.
>
> [libdefaults]
> default_realm = MY.DOMAIN.TLD
> dns_lookup_kdc = false
> dns_lookup_realm = false
>
> [realms]
> MY.DOMAIN.TLD = {
> kdc = IP of First DC
> kdc = IP of Second DC
> }
>


Here is the content of /etc/krb5.conf (commented sections were all 
effective, initially):

[root at server me]# cat /etc/krb5.conf
#[logging]
# default = FILE:/var/log/krb5libs.log
# kdc = FILE:/var/log/krb5kdc.log
# admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = MY.DOMAIN.TLD
# dns_lookup_realm = false
# dns_lookup_kdc = true
# ticket_lifetime = 24h
# renew_lifetime = 7d
# forwardable = true

#[realms]
# MY.DOMAIN.TLD = {
#  kdc = dc1.my.domain.tld
#  kdc = dc2.my.domain.tld
#  admin_server = dc1.my.domain.tld
#  default_domain = my.domain.tld
# }

#[domain_realm]
# my.domain.tld = MY.DOMAIN.TLD
# .my.domain.tld = MY.DOMAIN.TLD

Initially, when the First_DC was offline and I swapped the 'kdc' server 
lines in [realms] in krb5.conf and the 'nameserver' lines in resolv.conf 
(and restarted the network service; not sure whether the latter was 
actually needed), I could kinit on the member server.