[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland penny rpenny at samba.org
Fri Dec 11 14:24:52 UTC 2015 

On 11/12/15 13:59, Ole Traupe wrote:
> Hi folks,
>
> a) thank you all for your help, I highly appreciate you time and 
> effort, and I am sure I can resolve this issue very soon!
> b) I have to delay this until early next week, as I have to attend to 
> other matters for now.
>
> All I can say, Louis, is that I won't set up a new DC to resolve this 
> - at least not for now. This seems to be another problem of Samba4 not 
> being able to deal with multiple DCs properly. And this has to be able 
> to be resolved on an otherwise working domain without changing its 
> architecture or other more drastic measures. This is my point of view 
> at the moment. Your suggestion reminds me a bit of some typical forum 
> replies to "Reinstall the OS" in case of any problems that can't be 
> solved in an instant.
>
> If necessary, I will just create the missing DNS entries of my 2nd DC 
> by hand. Although I would prefer a working script supplied by a 
> professional (which I am not). At least I would like to know which DNS 
> entries for my 2nd DC are essential for logins to work. I wouldn't 
> very much like to try this out. However, I am aware that your time is 
> as limited as mine (of not even more so), and you are in no obligation 
> in any way.
>
> Besides, I didn't forget do delete anything. I used the script from 
> the wiki to get rid of old records pertaining to my former 1st DC 
> after I had created the records of my *new* 1st DC. I checked the 
> results: everything related to my former first DC was gone. Also I 
> documented/discussed this process here on the list. And nobody pointed 
> me to things I forgot or was leaving out. I know that use of this 
> script was totally "on my own risk". But the results were as they 
> should have been, at least as far I am able to tell.
>
> That said, I will go through your responses and get back to you with 
> results.
>
> Best, have a good weekend!
> Ole
>
>

Ole, when you provision a domain, all the required records are created, 
but when you join another DC, most of the dns records are not created 
until the samba deamon is started and samba_dnsupdate is run 
automatically, see 'dns_update_list' for what is added (this is in 
/usr/share/samba/setup & /var/lib/samba/private on debian)

If you want to add the missing NS records, add these lines to 
'dns_update_list' :

   # RW DNS servers
${IF_RWDNS_DOMAIN}A 
${DNSDOMAIN}                                          $IP
${IF_RWDNS_DOMAIN}NS 
${DNSDOMAIN}                                          ${HOSTNAME}

# RW DNS servers
${IF_RWDNS_FOREST}NS 
_msdcs.${DNSFOREST}                                   ${HOSTNAME}

You should be aware that even if you add these lines, they will not do 
you any good at the moment if you use the internal dns server.

There is a problem, it looks like the records do not get added when 
samba_dnsupdate is first run, but they are.

What you could do is this, copy the 'dns_update_list', replace all the 
variables with your info (${DNSDOMAIN} etc), then use this to check what 
you are missing and then add what isn't there.

Rowland

More information about the samba mailing list