[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
rpenny at samba.org
Fri Dec 4 16:42:37 UTC 2015
On 04/12/15 16:20, Ole Traupe wrote:
>> Hi, If you can bear with me, I am trying to get the join to add the
>> NS for the joining DC to the SOA, I believe I may be near to get this
>> working (after leading myself down the garden path, what I tried
>> previously, didn't work), once it does, I should be able answer your
>> question, my test domain is using the internal dns.
> I am happy to hear that and hope that solves the problem! I have
> tested fail-over now with the new NS record, but the situation is more
> or less the same:
> - created the NS record and waited until I found the record to be
> - restarted the windows machine I wanted to test this on
> - suspended the 1st DC (currently a VM)
> - tried to log-on to the windows test machine
> - results:
> 1. first log-on for a user takes ~30 seconds (on a second test it was
> up to 60 s)
> 2. following second log-on takes only 5 s
> 3. third log-on takes 2-3 s
> Confirmed this with a second user, the same time-out pattern. Seems to
> me that Windows 7 keeps its default DC but is willing to make
> exceptions on a user basis?
> However, I cannot say whether this actually is a server authentication
> or an offline log-on. I looked into the Windows logs ("Security") but
> didn't find anything conclusive.
> Two other things to mention:
> - From Windows, I can access my home and other network shares (located
> on a Samba 4 member server) as usual with out any problem (which is
> - But when I try to ssh to a member server, it still takes forever,
> and a 'kinit' on a member server gives this:
> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while
> getting initial credentials"
> My /etc/krb5.conf looks like this (following your suggestions,
> Rowland, as everything else are defaults):
> default_realm = MY.DOMAIN.TLD
> And my /etc/resolv.conf is this:
> search my.domain.tld
> nameserver IP_of_1st_DC
> nameserver IP_of_2nd_DC
> So from a Windows client point of view, I am more or less fine (even
> without restarting the machines). But it would be great if I could
> log-in to the Linux member servers as well.
I am getting nearer, I can now add another NS record to the SOA whilst
joining a DC, it's the wrong record, but it was added :-D
Now to get it to add the correct NS record (after I figure out just
where I went wrong).
More information about the samba