[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland penny rpenny at samba.org
Fri Dec 4 16:42:37 UTC 2015

On 04/12/15 16:20, Ole Traupe wrote:
>> Hi, If you can bear with me, I am trying to get the join to add the 
>> NS for the joining DC to the SOA, I believe I may be near to get this 
>> working (after leading myself down the garden path, what I tried 
>> previously, didn't work), once it does, I should be able answer your 
>> question, my test domain is using the internal dns.
>> Rowland
> I am happy to hear that and hope that solves the problem! I have 
> tested fail-over now with the new NS record, but the situation is more 
> or less the same:
> - created the NS record and waited until I found the record to be 
> replicated
> - restarted the windows machine I wanted to test this on
> - suspended the 1st DC (currently a VM)
> - tried to log-on to the windows test machine
> - results:
> 1. first log-on for a user takes ~30 seconds (on a second test it was 
> up to 60 s)
> 2. following second log-on takes only 5 s
> 3. third log-on takes 2-3 s
> Confirmed this with a second user, the same time-out pattern. Seems to 
> me that Windows 7 keeps its default DC but is willing to make 
> exceptions on a user basis?
> However, I cannot say whether this actually is a server authentication 
> or an offline log-on. I looked into the Windows logs ("Security") but 
> didn't find anything conclusive.
> Two other things to mention:
> - From Windows, I can access my home and other network shares (located 
> on a Samba 4 member server) as usual with out any problem (which is 
> good!!)
> - But when I try to ssh to a member server, it still takes forever, 
> and a 'kinit' on a member server gives this:
>   "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while 
> getting initial credentials"
> My /etc/krb5.conf looks like this (following your suggestions, 
> Rowland, as everything else are defaults):
> [libdefaults]
>  default_realm = MY.DOMAIN.TLD
> And my /etc/resolv.conf is this:
> search my.domain.tld
> nameserver IP_of_1st_DC
> nameserver IP_of_2nd_DC
> So from a Windows client point of view, I am more or less fine (even 
> without restarting the machines). But it would be great if I could 
> log-in to the Linux member servers as well.
> Ole

I am getting nearer, I can now add another NS record to the SOA whilst 
joining a DC, it's the wrong record, but it was added :-D

Now to get it to add the correct NS record (after I figure out just 
where I went wrong).


More information about the samba mailing list