[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Fri Dec 4 16:20:55 UTC 2015

> Hi, If you can bear with me, I am trying to get the join to add the NS 
> for the joining DC to the SOA, I believe I may be near to get this 
> working (after leading myself down the garden path, what I tried 
> previously, didn't work), once it does, I should be able answer your 
> question, my test domain is using the internal dns.
> Rowland

I am happy to hear that and hope that solves the problem! I have tested 
fail-over now with the new NS record, but the situation is more or less 
the same:

- created the NS record and waited until I found the record to be replicated
- restarted the windows machine I wanted to test this on
- suspended the 1st DC (currently a VM)
- tried to log-on to the windows test machine
- results:

1. first log-on for a user takes ~30 seconds (on a second test it was up 
to 60 s)
2. following second log-on takes only 5 s
3. third log-on takes 2-3 s

Confirmed this with a second user, the same time-out pattern. Seems to 
me that Windows 7 keeps its default DC but is willing to make exceptions 
on a user basis?

However, I cannot say whether this actually is a server authentication 
or an offline log-on. I looked into the Windows logs ("Security") but 
didn't find anything conclusive.

Two other things to mention:

- From Windows, I can access my home and other network shares (located 
on a Samba 4 member server) as usual with out any problem (which is good!!)

- But when I try to ssh to a member server, it still takes forever, and 
a 'kinit' on a member server gives this:
   "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while 
getting initial credentials"

My /etc/krb5.conf looks like this (following your suggestions, Rowland, 
as everything else are defaults):

  default_realm = MY.DOMAIN.TLD

And my /etc/resolv.conf is this:

search my.domain.tld
nameserver IP_of_1st_DC
nameserver IP_of_2nd_DC

So from a Windows client point of view, I am more or less fine (even 
without restarting the machines). But it would be great if I could 
log-in to the Linux member servers as well.


More information about the samba mailing list