[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Dec 17 12:44:15 UTC 2015 


Am 11.12.2015 um 15:24 schrieb Rowland penny:
> On 11/12/15 13:59, Ole Traupe wrote:
>> Hi folks,
>>
>> a) thank you all for your help, I highly appreciate you time and 
>> effort, and I am sure I can resolve this issue very soon!
>> b) I have to delay this until early next week, as I have to attend to 
>> other matters for now.
>>
>> All I can say, Louis, is that I won't set up a new DC to resolve this 
>> - at least not for now. This seems to be another problem of Samba4 
>> not being able to deal with multiple DCs properly. And this has to be 
>> able to be resolved on an otherwise working domain without changing 
>> its architecture or other more drastic measures. This is my point of 
>> view at the moment. Your suggestion reminds me a bit of some typical 
>> forum replies to "Reinstall the OS" in case of any problems that 
>> can't be solved in an instant.
>>
>> If necessary, I will just create the missing DNS entries of my 2nd DC 
>> by hand. Although I would prefer a working script supplied by a 
>> professional (which I am not). At least I would like to know which 
>> DNS entries for my 2nd DC are essential for logins to work. I 
>> wouldn't very much like to try this out. However, I am aware that 
>> your time is as limited as mine (of not even more so), and you are in 
>> no obligation in any way.
>>
>> Besides, I didn't forget do delete anything. I used the script from 
>> the wiki to get rid of old records pertaining to my former 1st DC 
>> after I had created the records of my *new* 1st DC. I checked the 
>> results: everything related to my former first DC was gone. Also I 
>> documented/discussed this process here on the list. And nobody 
>> pointed me to things I forgot or was leaving out. I know that use of 
>> this script was totally "on my own risk". But the results were as 
>> they should have been, at least as far I am able to tell.
>>
>> That said, I will go through your responses and get back to you with 
>> results.
>>
>> Best, have a good weekend!
>> Ole
>>
>>
>
> Ole, when you provision a domain, all the required records are 
> created, but when you join another DC, most of the dns records are not 
> created until the samba deamon is started and samba_dnsupdate is run 
> automatically, see 'dns_update_list' for what is added (this is in 
> /usr/share/samba/setup & /var/lib/samba/private on debian)
>
> If you want to add the missing NS records, add these lines to 
> 'dns_update_list' :
>
>   # RW DNS servers
> ${IF_RWDNS_DOMAIN}A 
> ${DNSDOMAIN}                                          $IP
> ${IF_RWDNS_DOMAIN}NS 
> ${DNSDOMAIN}                                          ${HOSTNAME}
>
> # RW DNS servers
> ${IF_RWDNS_FOREST}NS 
> _msdcs.${DNSFOREST}                                   ${HOSTNAME}
>
> You should be aware that even if you add these lines, they will not do 
> you any good at the moment if you use the internal dns server.
>
> There is a problem, it looks like the records do not get added when 
> samba_dnsupdate is first run, but they are.

Rowland, I do not understand you in this point. Does or doesn't this 
help me with the internal DNS?


>
> What you could do is this, copy the 'dns_update_list', replace all the 
> variables with your info (${DNSDOMAIN} etc), then use this to check 
> what you are missing and then add what isn't there.
>
> Rowland
>

More information about the samba mailing list