[Samba] common causes for failure to find domain controller ?

Mark Casey markc at unifiedgroup.com
Wed Feb 17 08:16:22 MST 2010 

On 2/17/2010 4:15 AM, Evan Ingram wrote:
> Hi,
>
> are there any common causes for a windows machines failure to find a
> samba domain controller?
>
> im trying to join a windows 2008 server to a samba[3.4.0] PDC and
> debug/netsetup says "failed to find a DC in the specified domain".
>
> cheers
>
>    
Evan,

Yes there are a few. A very common one is the DC and your server's 
clocks being too far out of sync but afaik that does not seem to be your 
issue. In your case it just says it can't find a DC to being with. You 
might try a few of these, some of which may not apply depending on 
whether you are listing your DCs explicitly or just letting them be 
found automatically.

1. Make sure you can ping between your hosts. Ping the DC from the smb 
box and the smb box from the DC; try both 'ping server' and 'ping 
server.domain.local'.
2. On the DC run netdiag and dcdiag. There is a dns only test in dcdiag 
too, I think the syntax is dcdiag /test:dns.
My smb boxes use my DCs for DNS and the DNS are AD integrated, so you 
may need to tweak those suggestions if thats not your setup. Generally 
though, check out the health of the DNS.

3. In case you get nothing there (and you haven't done this already), 
try specifying your DCs explicity in the kerberos config and in 
smb.conf. I've never had my config reviewed by the experts, but it works 
for me:

/etc/krb5.conf
...
[realms]
         DOMAINNAME.COM = {
                 kdc = dal-dc1.domainname.com
                 kdc = den-dc1.domainname.com
                 master_kdc = dal-dc1.domainname.com
                 admin_server = dal-dc1.domainname.com
         }

[domain_realm]
         .domainname.com = DOMAINNAME.COM
...

/etc/samba/smb.conf
...
[global]
         server string = Dallas File Server
         workgroup = DOMAINNAME
         realm = DOMAINNAME.COM
         security = ADS
         password server = *
         #password server = dal-dc1.domainname.com
         #password server = dal-dc1.domainname.com, den-dc1.domainname.com
...
Note the password option especially. For awhile I had to list it explicitly.

4. Use kinit to make sure kerberos is working, and maybe search for your 
error more in the list archives (read: google).

root at yourhost:~# kinit Administrator at DOMAINNAME.COM
Password for Administrator at DOMAINNAME.COM:
root at yourhost:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at DOMAINNAME.COM

Valid starting     Expires            Service principal
02/17/10 09:09:19  02/17/10 19:09:26  krbtgt/DOMAINNAME.COM at DOMAINNAME.COM
         renew until 02/18/10 09:09:19


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root at yourhost:~# kdestroy
root at yourhost:~# kdestroy
kdestroy: No credentials cache found while destroying cache
root at yourhost:~#

HTH,
Mark Casey

More information about the samba mailing list