[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Dec 17 12:40:13 UTC 2015 

>>> There is a known problem, even though the updates print '; TSIG 
>>> error with server: tsig verify failure', it still works. Try running 
>>> 'host -t SRV _kerberos._udp.my.domain.tld.' again.
>>>
>>> Rowland
>>
>> Nope, still one record.
>>
>>
>
> OK, lets just double check that, try running this:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b 
> 'DC=my.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=tld' 
> -s sub '(dc=_kerberos._udp)' --cross-ncs --show-binary
>
> That should all be one line and replace 'my.domain.tld' and 
> 'DC=my,DC=domain,DC=tld' with the correct details
>
> This should show you the dns record.
>
> Rowland
>

Ok, I have manually added "_ldap", "_kerberos", and "_kpasswd" records 
for my 2nd DC in all places where the 1st DC had such records. Thanks 
for the script mathias, but I try to keep it simple for the moment.


I have another problem now: I accidentally  created a record with a 
false port. I then updated the port but was afraid of any consequences. 
So I deleted that record again and wanted to re-create it. But I can't: 
"The record already exists." Although I can't see it in the gui. And I 
also can't delete it:

# samba-tool dns delete DC1 _msdcs.my.domain.tld 
_ldap._tcp.gc._msdcs.my.domain.tld SRV "dc2.my.domain.tld 3268 0 100"
ERROR: Record does not exist

But it can be found with dig:

# dig @DC1 _ldap._tcp.gc._msdcs.my.domain.tld SRV

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> @DC1 
_ldap._tcp.gc._msdcs.my.domain.tld SRV
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28612
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.gc._msdcs.my.domain.tld. IN SRV

;; ANSWER SECTION:
_ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 dc1.my.domain.tld.
_ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 dc2.my.domain.tld.

;; Query time: 1 msec
;; SERVER: IP_of_1stDC#53(IP_of_1stDC)
;; WHEN: Thu Dec 17 13:28:06 2015
;; MSG SIZE  rcvd: 103

How do I get rid of this problematic record for dc2?


I also added the 2nd DC's NS record in the _msdcs zone, which was still 
missing.


Rowland, now your suggested above line gives this:

# record 1
dn: 
DC=_kerberos._udp,DC=my.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=tld
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20150616170602.0Z
uSNCreated: 3500
showInAdvancedViewOnly: TRUE
name: _kerberos._udp
objectGUID: c1a4f1b9-a02d-4fba-9221-2b95ec9b34fc
objectCategory: 
CN=Dns-Node,CN=Schema,CN=Configuration,DC=my,DC=domain,DC=tld
dc: _kerberos._udp
dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
         wDataLength              : 0x001e (30)
         wType                    : DNS_TYPE_SRV (33)
         version                  : 0x05 (5)
         rank                     : DNS_RANK_ZONE (240)
         flags                    : 0x0000 (0)
         dwSerial                 : 0x0000006e (110)
         dwTtlSeconds             : 0x00000384 (900)
         dwReserved               : 0x00000000 (0)
         dwTimeStamp              : 0x00000000 (0)
         data                     : union dnsRecordData(case 33)
         srv: struct dnsp_srv
             wPriority                : 0x0000 (0)
             wWeight                  : 0x0064 (100)
             wPort                    : 0x0058 (88)
             nameTarget               : dc1.my.domain.tld

dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
         wDataLength              : 0x001e (30)
         wType                    : DNS_TYPE_SRV (33)
         version                  : 0x05 (5)
         rank                     : DNS_RANK_ZONE (240)
         flags                    : 0x0000 (0)
         dwSerial                 : 0x0000002b (43)
         dwTtlSeconds             : 0x000000b4 (180)
         dwReserved               : 0x00000000 (0)
         dwTimeStamp              : 0x003780ca (3637450)
         data                     : union dnsRecordData(case 33)
         srv: struct dnsp_srv
             wPriority                : 0x0000 (0)
             wWeight                  : 0x0064 (100)
             wPort                    : 0x0058 (88)
             nameTarget               : dc2.my.domain.tld

whenChanged: 20151217103443.0Z
uSNChanged: 7315
distinguishedName: 
DC=_kerberos._udp,DC=my.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=tld

# returned 1 records
# 1 entries
# 0 referrals


Status of original problem (no log-on when 1st DC is down):

- log on to Windows possible
- kinit on member servers works with a *long* timeout
- ssh logon to member server (with domain account) works with an *even 
longer* timeout
- logon to member server with some remote desktop solution works not, 
likely due to timeouts


Ole

More information about the samba mailing list