[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland penny rpenny at samba.org
Fri Dec 4 17:54:20 UTC 2015 

On 04/12/15 16:42, Rowland penny wrote:
> On 04/12/15 16:20, Ole Traupe wrote:
>>
>>> Hi, If you can bear with me, I am trying to get the join to add the 
>>> NS for the joining DC to the SOA, I believe I may be near to get 
>>> this working (after leading myself down the garden path, what I 
>>> tried previously, didn't work), once it does, I should be able 
>>> answer your question, my test domain is using the internal dns.
>>>
>>> Rowland
>>
>>
>> I am happy to hear that and hope that solves the problem! I have 
>> tested fail-over now with the new NS record, but the situation is 
>> more or less the same:
>>
>> - created the NS record and waited until I found the record to be 
>> replicated
>> - restarted the windows machine I wanted to test this on
>> - suspended the 1st DC (currently a VM)
>> - tried to log-on to the windows test machine
>> - results:
>>
>> 1. first log-on for a user takes ~30 seconds (on a second test it was 
>> up to 60 s)
>> 2. following second log-on takes only 5 s
>> 3. third log-on takes 2-3 s
>>
>> Confirmed this with a second user, the same time-out pattern. Seems 
>> to me that Windows 7 keeps its default DC but is willing to make 
>> exceptions on a user basis?
>>
>> However, I cannot say whether this actually is a server 
>> authentication or an offline log-on. I looked into the Windows logs 
>> ("Security") but didn't find anything conclusive.
>>
>>
>> Two other things to mention:
>>
>> - From Windows, I can access my home and other network shares 
>> (located on a Samba 4 member server) as usual with out any problem 
>> (which is good!!)
>>
>> - But when I try to ssh to a member server, it still takes forever, 
>> and a 'kinit' on a member server gives this:
>>   "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while 
>> getting initial credentials"
>>
>>
>> My /etc/krb5.conf looks like this (following your suggestions, 
>> Rowland, as everything else are defaults):
>>
>> [libdefaults]
>>  default_realm = MY.DOMAIN.TLD
>>
>> And my /etc/resolv.conf is this:
>>
>> search my.domain.tld
>> nameserver IP_of_1st_DC
>> nameserver IP_of_2nd_DC
>>
>>
>> So from a Windows client point of view, I am more or less fine (even 
>> without restarting the machines). But it would be great if I could 
>> log-in to the Linux member servers as well.
>>
>> Ole
>>
>>
>>
>
> I am getting nearer, I can now add another NS record to the SOA whilst 
> joining a DC, it's the wrong record, but it was added :-D
>
> Now to get it to add the correct NS record (after I figure out just 
> where I went wrong).
>
> Rowland
>

OK, I have now created the correct SOA NS record whilst joining a new DC 
using the internal DNS server. If I run nslookup against each test DC, I 
get back the same nameserver. If I do the same on my normal domain that 
uses Bind9, I get a different nameserver from each DC.

TESTDOMAIN:

root at testdc2:~# nslookup
 > set querytype=soa
 > example.lan
Server:        192.168.0.240
Address:    192.168.0.240#53

example.lan
     origin = testdc1.example.lan
     mail addr = hostmaster.example.lan
     serial = 3
     refresh = 900
     retry = 600
     expire = 86400
     minimum = 3600

Swap nameservers in resolv.conf

root at testdc2:~# nslookup
 > set querytype=soa
 > example.lan
Server:        192.168.0.241
Address:    192.168.0.241#53

example.lan
     origin = testdc1.example.lan
     mail addr = hostmaster.example.lan
     serial = 3
     refresh = 900
     retry = 600
     expire = 86400
     minimum = 3600

NORMAL DOMAIN:

root at dc1:~# nslookup
 > set querytype=soa
 > samdom.example.com
Server:        192.168.0.6
Address:    192.168.0.6#53

samdom.example.com
     origin = dc2.samdom.example.com
     mail addr = hostmaster.samdom.example.com
     serial = 101
     refresh = 900
     retry = 600
     expire = 86400
     minimum = 3600

swap nameservers in resolv.conf

root at dc1:~# nslookup
 > set querytype=soa
 > samdom.example.com
Server:        192.168.0.5
Address:    192.168.0.5#53

samdom.example.com
     origin = dc1.samdom.example.com
     mail addr = hostmaster.samdom.example.com
     serial = 101
     refresh = 900
     retry = 600
     expire = 86400
     minimum = 3600

Sorry Kia, but I think the moral of the story here is, don't use the 
internal dns server, use bind9 instead.

Rowland

More information about the samba mailing list