[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Rowland penny
rpenny at samba.org
Fri Dec 4 17:54:20 UTC 2015
On 04/12/15 16:42, Rowland penny wrote:
> On 04/12/15 16:20, Ole Traupe wrote:
>>
>>> Hi, If you can bear with me, I am trying to get the join to add the
>>> NS for the joining DC to the SOA, I believe I may be near to get
>>> this working (after leading myself down the garden path, what I
>>> tried previously, didn't work), once it does, I should be able
>>> answer your question, my test domain is using the internal dns.
>>>
>>> Rowland
>>
>>
>> I am happy to hear that and hope that solves the problem! I have
>> tested fail-over now with the new NS record, but the situation is
>> more or less the same:
>>
>> - created the NS record and waited until I found the record to be
>> replicated
>> - restarted the windows machine I wanted to test this on
>> - suspended the 1st DC (currently a VM)
>> - tried to log-on to the windows test machine
>> - results:
>>
>> 1. first log-on for a user takes ~30 seconds (on a second test it was
>> up to 60 s)
>> 2. following second log-on takes only 5 s
>> 3. third log-on takes 2-3 s
>>
>> Confirmed this with a second user, the same time-out pattern. Seems
>> to me that Windows 7 keeps its default DC but is willing to make
>> exceptions on a user basis?
>>
>> However, I cannot say whether this actually is a server
>> authentication or an offline log-on. I looked into the Windows logs
>> ("Security") but didn't find anything conclusive.
>>
>>
>> Two other things to mention:
>>
>> - From Windows, I can access my home and other network shares
>> (located on a Samba 4 member server) as usual with out any problem
>> (which is good!!)
>>
>> - But when I try to ssh to a member server, it still takes forever,
>> and a 'kinit' on a member server gives this:
>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while
>> getting initial credentials"
>>
>>
>> My /etc/krb5.conf looks like this (following your suggestions,
>> Rowland, as everything else are defaults):
>>
>> [libdefaults]
>> default_realm = MY.DOMAIN.TLD
>>
>> And my /etc/resolv.conf is this:
>>
>> search my.domain.tld
>> nameserver IP_of_1st_DC
>> nameserver IP_of_2nd_DC
>>
>>
>> So from a Windows client point of view, I am more or less fine (even
>> without restarting the machines). But it would be great if I could
>> log-in to the Linux member servers as well.
>>
>> Ole
>>
>>
>>
>
> I am getting nearer, I can now add another NS record to the SOA whilst
> joining a DC, it's the wrong record, but it was added :-D
>
> Now to get it to add the correct NS record (after I figure out just
> where I went wrong).
>
> Rowland
>
OK, I have now created the correct SOA NS record whilst joining a new DC
using the internal DNS server. If I run nslookup against each test DC, I
get back the same nameserver. If I do the same on my normal domain that
uses Bind9, I get a different nameserver from each DC.
TESTDOMAIN:
root at testdc2:~# nslookup
> set querytype=soa
> example.lan
Server: 192.168.0.240
Address: 192.168.0.240#53
example.lan
origin = testdc1.example.lan
mail addr = hostmaster.example.lan
serial = 3
refresh = 900
retry = 600
expire = 86400
minimum = 3600
Swap nameservers in resolv.conf
root at testdc2:~# nslookup
> set querytype=soa
> example.lan
Server: 192.168.0.241
Address: 192.168.0.241#53
example.lan
origin = testdc1.example.lan
mail addr = hostmaster.example.lan
serial = 3
refresh = 900
retry = 600
expire = 86400
minimum = 3600
NORMAL DOMAIN:
root at dc1:~# nslookup
> set querytype=soa
> samdom.example.com
Server: 192.168.0.6
Address: 192.168.0.6#53
samdom.example.com
origin = dc2.samdom.example.com
mail addr = hostmaster.samdom.example.com
serial = 101
refresh = 900
retry = 600
expire = 86400
minimum = 3600
swap nameservers in resolv.conf
root at dc1:~# nslookup
> set querytype=soa
> samdom.example.com
Server: 192.168.0.5
Address: 192.168.0.5#53
samdom.example.com
origin = dc1.samdom.example.com
mail addr = hostmaster.samdom.example.com
serial = 101
refresh = 900
retry = 600
expire = 86400
minimum = 3600
Sorry Kia, but I think the moral of the story here is, don't use the
internal dns server, use bind9 instead.
Rowland
More information about the samba
mailing list