[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland penny rpenny at samba.org
Thu Dec 10 13:29:02 UTC 2015 

On 10/12/15 13:18, Ole Traupe wrote:
>
>
> Am 09.12.2015 um 18:16 schrieb Rowland penny:
>> On 09/12/15 17:03, James wrote:
>>> On 12/9/2015 11:33 AM, Ole Traupe wrote:
>>>>
>>>>> - But when I try to ssh to a member server, it still takes 
>>>>> forever, and a 'kinit' on a member server gives this:
>>>>>   "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while 
>>>>> getting initial credentials"
>>>>>
>>>>>
>>>>> My /etc/krb5.conf looks like this (following your suggestions, 
>>>>> Rowland, as everything else are defaults):
>>>>>
>>>>> [libdefaults]
>>>>>  default_realm = MY.DOMAIN.TLD
>>>>>
>>>>> And my /etc/resolv.conf is this:
>>>>>
>>>>> search my.domain.tld
>>>>> nameserver IP_of_1st_DC
>>>>> nameserver IP_of_2nd_DC
>>>>
>>>> Any idea why I still get this when trying to log on to a member 
>>>> server while the first DC is down?
>>>>
>>>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while 
>>>> getting initial credentials
>>>>
>>>> Ole
>>>>
>>>>
>>>>
>>> Ole,
>>>
>>>     I was trying to look back through your posts so excuse me if you 
>>> have answered this. What was your original krb.conf file contents? A 
>>> few things that may work is to specify the kdc and not rely on dns. 
>>> for instance.
>>>
>>> [libdefaults]
>>> default_realm = MY.DOMAIN.TLD
>>> dns_lookup_kdc = false
>>> dns_lookup_realm = false
>>>
>>> [realms]
>>> MY.DOMAIN.TLD = {
>>> kdc = IP of First DC
>>> kdc = IP of Second DC
>>> }
>>>
>>
>> If you have to do that, then there is something wrong with your dns 
>> and you need to fix this, dns is an important part of AD and really 
>> needs to work correctly.
>>
>> I have been doing some testing with dns and with the internal dns 
>> server, even if you add another NS to the SOA record, you only have 
>> one NS. It seems the only way to get each DC to think it is a NS, is 
>> to use bind9.
>>
>> Rowland
>
> Hm, as I said: swapping kdc and nameserver entries on the member 
> server (and restarting the network service) was able to solve the 
> problem, if I remember correctly.
>
>
>
>

This is what is in resolv.conf on each DC:

root at dc1:~# nano /etc/resolv.conf

search samdom.example.com
nameserver 192.168.0.6
nameserver 192.168.0.5

root at dc2:~# nano /etc/resolv.conf

search samdom.example.com
nameserver 192.168.0.5
nameserver 192.168.0.6

dc1.samdom.example.com is 192.168.0.5
dc2.samdom.example.com is 192.168.0.6

Both have just this in /etc/krb5.conf

[libdefaults]
         default_realm = SAMDOM.EXAMPLE.COM

Everything is working correctly.

Rowland

More information about the samba mailing list