[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Dec 10 13:25:29 UTC 2015


Is it possible that kdc server is always the SOA,  at least if derived 
from DNS and not specified *explicitly* in the krb5.conf?

In my DNS-Manager console I find that

_tcp.dc._msdcs.bpn.tu-berlin.de

contains only 1 "_kerberos" record, and that one points to my First_DC.

Ole



Am 09.12.2015 um 18:16 schrieb Rowland penny:
> On 09/12/15 17:03, James wrote:
>> On 12/9/2015 11:33 AM, Ole Traupe wrote:
>>>
>>>> - But when I try to ssh to a member server, it still takes forever, 
>>>> and a 'kinit' on a member server gives this:
>>>>   "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while 
>>>> getting initial credentials"
>>>>
>>>>
>>>> My /etc/krb5.conf looks like this (following your suggestions, 
>>>> Rowland, as everything else are defaults):
>>>>
>>>> [libdefaults]
>>>>  default_realm = MY.DOMAIN.TLD
>>>>
>>>> And my /etc/resolv.conf is this:
>>>>
>>>> search my.domain.tld
>>>> nameserver IP_of_1st_DC
>>>> nameserver IP_of_2nd_DC
>>>
>>> Any idea why I still get this when trying to log on to a member 
>>> server while the first DC is down?
>>>
>>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while 
>>> getting initial credentials
>>>
>>> Ole
>>>
>>>
>>>
>> Ole,
>>
>>     I was trying to look back through your posts so excuse me if you 
>> have answered this. What was your original krb.conf file contents? A 
>> few things that may work is to specify the kdc and not rely on dns. 
>> for instance.
>>
>> [libdefaults]
>> default_realm = MY.DOMAIN.TLD
>> dns_lookup_kdc = false
>> dns_lookup_realm = false
>>
>> [realms]
>> MY.DOMAIN.TLD = {
>> kdc = IP of First DC
>> kdc = IP of Second DC
>> }
>>
>
> If you have to do that, then there is something wrong with your dns 
> and you need to fix this, dns is an important part of AD and really 
> needs to work correctly.
>
> I have been doing some testing with dns and with the internal dns 
> server, even if you add another NS to the SOA record, you only have 
> one NS. It seems the only way to get each DC to think it is a NS, is 
> to use bind9.
>
> Rowland
>




More information about the samba mailing list