[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland penny rpenny at samba.org
Wed Dec 9 17:16:41 UTC 2015


On 09/12/15 17:03, James wrote:
> On 12/9/2015 11:33 AM, Ole Traupe wrote:
>>
>>> - But when I try to ssh to a member server, it still takes forever, 
>>> and a 'kinit' on a member server gives this:
>>>   "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while 
>>> getting initial credentials"
>>>
>>>
>>> My /etc/krb5.conf looks like this (following your suggestions, 
>>> Rowland, as everything else are defaults):
>>>
>>> [libdefaults]
>>>  default_realm = MY.DOMAIN.TLD
>>>
>>> And my /etc/resolv.conf is this:
>>>
>>> search my.domain.tld
>>> nameserver IP_of_1st_DC
>>> nameserver IP_of_2nd_DC
>>
>> Any idea why I still get this when trying to log on to a member 
>> server while the first DC is down?
>>
>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while 
>> getting initial credentials
>>
>> Ole
>>
>>
>>
> Ole,
>
>     I was trying to look back through your posts so excuse me if you 
> have answered this. What was your original krb.conf file contents? A 
> few things that may work is to specify the kdc and not rely on dns. 
> for instance.
>
> [libdefaults]
> default_realm = MY.DOMAIN.TLD
> dns_lookup_kdc = false
> dns_lookup_realm = false
>
> [realms]
> MY.DOMAIN.TLD = {
> kdc = IP of First DC
> kdc = IP of Second DC
> }
>

If you have to do that, then there is something wrong with your dns and 
you need to fix this, dns is an important part of AD and really needs to 
work correctly.

I have been doing some testing with dns and with the internal dns 
server, even if you add another NS to the SOA record, you only have one 
NS. It seems the only way to get each DC to think it is a NS, is to use 
bind9.

Rowland



More information about the samba mailing list