[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland penny rpenny at samba.org
Thu Dec 17 13:11:13 UTC 2015


On 17/12/15 12:44, Ole Traupe wrote:
>
>
> Am 11.12.2015 um 15:24 schrieb Rowland penny:
>> On 11/12/15 13:59, Ole Traupe wrote:
>>> Hi folks,
>>>
>>> a) thank you all for your help, I highly appreciate you time and 
>>> effort, and I am sure I can resolve this issue very soon!
>>> b) I have to delay this until early next week, as I have to attend 
>>> to other matters for now.
>>>
>>> All I can say, Louis, is that I won't set up a new DC to resolve 
>>> this - at least not for now. This seems to be another problem of 
>>> Samba4 not being able to deal with multiple DCs properly. And this 
>>> has to be able to be resolved on an otherwise working domain without 
>>> changing its architecture or other more drastic measures. This is my 
>>> point of view at the moment. Your suggestion reminds me a bit of 
>>> some typical forum replies to "Reinstall the OS" in case of any 
>>> problems that can't be solved in an instant.
>>>
>>> If necessary, I will just create the missing DNS entries of my 2nd 
>>> DC by hand. Although I would prefer a working script supplied by a 
>>> professional (which I am not). At least I would like to know which 
>>> DNS entries for my 2nd DC are essential for logins to work. I 
>>> wouldn't very much like to try this out. However, I am aware that 
>>> your time is as limited as mine (of not even more so), and you are 
>>> in no obligation in any way.
>>>
>>> Besides, I didn't forget do delete anything. I used the script from 
>>> the wiki to get rid of old records pertaining to my former 1st DC 
>>> after I had created the records of my *new* 1st DC. I checked the 
>>> results: everything related to my former first DC was gone. Also I 
>>> documented/discussed this process here on the list. And nobody 
>>> pointed me to things I forgot or was leaving out. I know that use of 
>>> this script was totally "on my own risk". But the results were as 
>>> they should have been, at least as far I am able to tell.
>>>
>>> That said, I will go through your responses and get back to you with 
>>> results.
>>>
>>> Best, have a good weekend!
>>> Ole
>>>
>>>
>>
>> Ole, when you provision a domain, all the required records are 
>> created, but when you join another DC, most of the dns records are 
>> not created until the samba deamon is started and samba_dnsupdate is 
>> run automatically, see 'dns_update_list' for what is added (this is 
>> in /usr/share/samba/setup & /var/lib/samba/private on debian)
>>
>> If you want to add the missing NS records, add these lines to 
>> 'dns_update_list' :
>>
>>   # RW DNS servers
>> ${IF_RWDNS_DOMAIN}A 
>> ${DNSDOMAIN}                                          $IP
>> ${IF_RWDNS_DOMAIN}NS ${DNSDOMAIN} ${HOSTNAME}
>>
>> # RW DNS servers
>> ${IF_RWDNS_FOREST}NS _msdcs.${DNSFOREST} ${HOSTNAME}
>>
>> You should be aware that even if you add these lines, they will not 
>> do you any good at the moment if you use the internal dns server.
>>
>> There is a problem, it looks like the records do not get added when 
>> samba_dnsupdate is first run, but they are.
>
> Rowland, I do not understand you in this point. Does or doesn't this 
> help me with the internal DNS?


Hi Ole, from my testing, if you are using the Samba internal DNS server, 
you only have the one NS record pointing to your first DC, even if you 
do add the NS record for the second DC. If you use Bind9 instead, you do 
get two NS records.

Rowland




More information about the samba mailing list