[Samba] Linux Servers in an AD Domain with Multiple Windows Domain Controllers

Rowland Penny rpenny at f2s.com
Mon May 27 12:46:03 MDT 2013


I do not think that you actually need the krb.conf, try it without it,
after all what have you got to lose?

Rowland


On 27 May 2013 19:43, Robinson, Eric <eric.robinson at psmnv.com> wrote:

> Thanks, I will try that. What about krb.conf? Any changes required there?
>
> (Sorry about the top post. Your MUA's message quoting mechanism makes it
> hard to bottom post as I am normally used to doing.)
>
> --
> Eric Robinson
>
>
> ________________________________
> From: Robinson, Eric
> Sent: Monday, May 27, 2013 11:39 AM
> To: 'Rowland Penny'
> Cc: 'Marc Muehlfeld'; 'samba at lists.samba.org'
> Subject: RE: [Samba] Linux Servers in an AD Domain with Multiple Windows
> Domain Controllers
>
>
> On 27 May 2013 19:14, Robinson, Eric <eric.robinson at psmnv.com<mailto:
> eric.robinson at psmnv.com>> wrote:
> > -----Original Message-----
> > From: Marc Muehlfeld [mailto:samba at marc-muehlfeld.de<mailto:
> samba at marc-muehlfeld.de>]
> > Sent: Saturday, May 25, 2013 3:31 PM
> > To: Robinson, Eric
> > Cc: samba at lists.samba.org<mailto:samba at lists.samba.org>
> > Subject: Re: [Samba] Linux Servers in an AD Domain with
> > Multiple Windows Domain Controllers
> >
> > Hello Eric,
> >
> > Am 25.05.2013 18<tel:25.05.2013%2018>:29, schrieb Robinson, Eric:
> > > We have three Windows domain controllers in our AD domain. They are
> >  > DC01, DC02, and DC03. We have Linux (RHEL5 and 6) servers
> > in the  > domain as well. The Linux servers are working fine
> > with AD. However,  > they are currently configured in
> > krb.conf and krb5.conf to use only  > DC01 for AD domain
> > controller. if DC01 is down, Linux servers cannot  >
> > authenticate. How do we configure the Linux servers to use
> > multiple  > domain controllers for AD, so if DC01 is down
> > everything continues  > to work on the Linux side?
> >
> > I saw, that you asked that question already 1.5 years ago on
> > this list:
> > http://markmail.org/message/slugpbka33ap4ima
> >
> > Didn't the two suggestions from Marcel and Andrew work? If
> > not, what were the problems with them? Then maybe we find a
> > way to get it work.
> >
> > Regards,
> > Marc
> >
>
> Hi Marc -- Thanks very much for following up on this. I did try Marcel and
> Andrew's suggestions (see below) but it did not work. When server DC01 is
> down, Windows users can still login fine, but when I try to ssh to a Linux
> box, the login hangs for a long time or forever. Also, Marcel and Andrew
> did not address my follow-up question about the krb.conf file. They only
> mentioned the krb5.conf file.
>
> For reference, my krb.conf looks like this...
>
> MYCHARTS.MD<http://MYCHARTS.MD>     dc01.mycharts.md:88<
> http://dc01.mycharts.md:88>
> MYCHARTS.MD<http://MYCHARTS.MD>     dc01.mycharts.md:749<
> http://dc01.mycharts.md:749> admin server
>
> My krb5.conf looks like the following... note the second entry for the DC
> named TS04.
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = MYCHARTS.MD<http://MYCHARTS.MD>
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>
> [realms]
>  MYCHARTS.MD<http://MYCHARTS.MD> = {
>   kdc = dc01.mycharts.md:88<http://dc01.mycharts.md:88>
>   kdc = ts04.mycharts.md:88<http://ts04.mycharts.md:88>
>   admin_server = dc01.mycharts.md:749<http://dc01.mycharts.md:749>
>   kpasswd_server = dc01.mycharts.md:464<http://dc01.mycharts.md:464>
>   kpasswd_protocol = SET_CHANGE
>   #default_domain = example.com<http://example.com>
>  }
>
> [domain_realm]
>  *.mycharts.md<http://mycharts.md> = MYCHARTS.MD<http://MYCHARTS.MD>
>  .mycharts.md<http://mycharts.md> = MYCHARTS.MD<http://MYCHARTS.MD>
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
>
> --Eric
>
>
>
>
> Disclaimer - May 27, 2013
> This email and any files transmitted with it are confidential and intended
> solely for 'Marc Muehlfeld',samba at lists.samba.org<mailto:
> samba at lists.samba.org>. If you are not the named addressee you should not
> disseminate, distribute, copy or alter this email. Any views or opinions
> presented in this email are solely those of the author and might not
> represent those of Physicians' Managed Care or Physician Select Management.
> Warning: Although Physicians' Managed Care or Physician Select Management
> has taken reasonable precautions to ensure no viruses are present in this
> email, the company cannot accept responsibility for any loss or damage
> arising from the use of this email or attachments.
> This disclaimer was added by Policy Patrol: http://www.policypatrol.com/
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list