[Samba] Linux Servers in an AD Domain with Multiple Windows Domain Controllers

Rowland Penny rpenny at f2s.com
Mon May 27 12:34:39 MDT 2013 

Hi, I think that you misunderstood what Andrew was trying to tell you, my
/etc/krb5.conf on a linux client is this:

[logging]
    default = FILE:/var/log/krb5libs.log

[libdefaults]
    default_realm = MYDOMAIN.LAN
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    rdns = false
    forwardable = true

[realms]

[domain_realm]

Note that NO particular server is referenced, yet it works, the client must
find the server itself via dns, try it, it just might cure your problems.

Rowland




On 27 May 2013 19:14, Robinson, Eric <eric.robinson at psmnv.com> wrote:

> > -----Original Message-----
> > From: Marc Muehlfeld [mailto:samba at marc-muehlfeld.de]
> > Sent: Saturday, May 25, 2013 3:31 PM
> > To: Robinson, Eric
> > Cc: samba at lists.samba.org
> > Subject: Re: [Samba] Linux Servers in an AD Domain with
> > Multiple Windows Domain Controllers
> >
> > Hello Eric,
> >
> > Am 25.05.2013 18:29, schrieb Robinson, Eric:
> > > We have three Windows domain controllers in our AD domain. They are
> >  > DC01, DC02, and DC03. We have Linux (RHEL5 and 6) servers
> > in the  > domain as well. The Linux servers are working fine
> > with AD. However,  > they are currently configured in
> > krb.conf and krb5.conf to use only  > DC01 for AD domain
> > controller. if DC01 is down, Linux servers cannot  >
> > authenticate. How do we configure the Linux servers to use
> > multiple  > domain controllers for AD, so if DC01 is down
> > everything continues  > to work on the Linux side?
> >
> > I saw, that you asked that question already 1.5 years ago on
> > this list:
> > http://markmail.org/message/slugpbka33ap4ima
> >
> > Didn't the two suggestions from Marcel and Andrew work? If
> > not, what were the problems with them? Then maybe we find a
> > way to get it work.
> >
> > Regards,
> > Marc
> >
>
> Hi Marc -- Thanks very much for following up on this. I did try Marcel and
> Andrew's suggestions (see below) but it did not work. When server DC01 is
> down, Windows users can still login fine, but when I try to ssh to a Linux
> box, the login hangs for a long time or forever. Also, Marcel and Andrew
> did not address my follow-up question about the krb.conf file. They only
> mentioned the krb5.conf file.
>
> For reference, my krb.conf looks like this...
>
> MYCHARTS.MD     dc01.mycharts.md:88
> MYCHARTS.MD     dc01.mycharts.md:749 admin server
>
> My krb5.conf looks like the following... note the second entry for the DC
> named TS04.
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = MYCHARTS.MD
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>
> [realms]
>  MYCHARTS.MD = {
>   kdc = dc01.mycharts.md:88
>   kdc = ts04.mycharts.md:88
>   admin_server = dc01.mycharts.md:749
>   kpasswd_server = dc01.mycharts.md:464
>   kpasswd_protocol = SET_CHANGE
>   #default_domain = example.com
>  }
>
> [domain_realm]
>  *.mycharts.md = MYCHARTS.MD
>  .mycharts.md = MYCHARTS.MD
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
>
> --Eric
>
>
>
>
> Disclaimer - May 27, 2013
> This email and any files transmitted with it are confidential and intended
> solely for 'Marc Muehlfeld',samba at lists.samba.org. If you are not the
> named addressee you should not disseminate, distribute, copy or alter this
> email. Any views or opinions presented in this email are solely those of
> the author and might not represent those of Physicians' Managed Care or
> Physician Select Management. Warning: Although Physicians' Managed Care or
> Physician Select Management has taken reasonable precautions to ensure no
> viruses are present in this email, the company cannot accept responsibility
> for any loss or damage arising from the use of this email or attachments.
> This disclaimer was added by Policy Patrol: http://www.policypatrol.com/
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list