[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

mathias dufresne infractory at gmail.com
Fri Dec 4 18:58:55 UTC 2015

To check which DC was used to connect on simply type "set" in MSDOS console
(cmd). Then look for a line which contain a DC name.

For Windows they should try to find a DC at logon time, according to their
IP address and AD sites configuration as explained earlier I think. This
process includes DNS SRV request to find LDAP server list and then LDAP
requests are sent to received SRV to find one working server, something
like one replying the quicker (that's a foggy notion for me :)

For Linux and kinit that should be based on DNS resolution and caching if
some. Now how kinit chose a Kerberos server from DNS I no real idea.
It is possible to force usage of one particular kerberos server forcing it
in some configuration file and then using that file in $KRB5_CONFIG
environment variable. At least you could use that to test if kinit works
when forced on the remaining server.

But that does not answer the question of failover for Linux parts :(

2015-12-04 17:20 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:

> Hi, If you can bear with me, I am trying to get the join to add the NS for
>> the joining DC to the SOA, I believe I may be near to get this working
>> (after leading myself down the garden path, what I tried previously, didn't
>> work), once it does, I should be able answer your question, my test domain
>> is using the internal dns.
>> Rowland
> I am happy to hear that and hope that solves the problem! I have tested
> fail-over now with the new NS record, but the situation is more or less the
> same:
> - created the NS record and waited until I found the record to be
> replicated
> - restarted the windows machine I wanted to test this on
> - suspended the 1st DC (currently a VM)
> - tried to log-on to the windows test machine
> - results:
> 1. first log-on for a user takes ~30 seconds (on a second test it was up
> to 60 s)
> 2. following second log-on takes only 5 s
> 3. third log-on takes 2-3 s
> Confirmed this with a second user, the same time-out pattern. Seems to me
> that Windows 7 keeps its default DC but is willing to make exceptions on a
> user basis?
> However, I cannot say whether this actually is a server authentication or
> an offline log-on. I looked into the Windows logs ("Security") but didn't
> find anything conclusive.
> Two other things to mention:
> - From Windows, I can access my home and other network shares (located on
> a Samba 4 member server) as usual with out any problem (which is good!!)
> - But when I try to ssh to a member server, it still takes forever, and a
> 'kinit' on a member server gives this:
>   "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while getting
> initial credentials"
> My /etc/krb5.conf looks like this (following your suggestions, Rowland, as
> everything else are defaults):
> [libdefaults]
>  default_realm = MY.DOMAIN.TLD
> And my /etc/resolv.conf is this:
> search my.domain.tld
> nameserver IP_of_1st_DC
> nameserver IP_of_2nd_DC
> So from a Windows client point of view, I am more or less fine (even
> without restarting the machines). But it would be great if I could log-in
> to the Linux member servers as well.
> Ole
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list