[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

[Rowland penny]

On 17/12/15 14:46, Ole Traupe wrote:
>
>
> Am 17.12.2015 um 14:32 schrieb Rowland penny:
>> On 17/12/15 12:50, Ole Traupe wrote:
>>>
>>> I somehow doubt that. Still it seems that no one here has an idea of 
>>> why log-on from member servers isn't working properly (for me). 
>>> However, in the meantime I have created all the necessary DNS 
>>> records. This can't be the issue anymore.
>>>
>>>
>>
>> If you are sure that you now have all the dns records for both DCs in 
>> AD, then I would agree that this is probably not the issue (there is 
>> just the 0.1% chance you are still missing something)
>>
>> Can your domain members find the DCs ?
>> Do your domain members have a FQDN ?
>> Are they joined to the domain ?
>> What have got in smb.conf on the domain members ?
>>
>> You may have posted all or some of this before, but lets start again.
>>
>> Rowland
>>
>
> Ok, there were still records missing (according to "samba_dnsupdate 
> --verbose"). I added them manually, and now I get "No DNS updates 
> needed" on both my DCs.
>
> Still/again: "kinit" takes more than a minute on member servers, and 
> login via ssh is impossible now (times out eventually).
>
> Some questions:
>
> - what about that corrupted record I mentioned earlier, how can I get 
> rid if it?

Have you tried using samba-tool ?

> - why does "samba_dnsupdate --verbose" on DC1 check records only 
> against 1 instance (record from DC1), while the same command issued on 
> DC2 checks records against both existing instances (records from DC1 
> and DC2)?

Don't know, if you understand python, you could try looking at the script.

>
> - why does the dns update fail in the first place? 

I am not sure that it does fail. When you provision the first DC, all 
the required dns entries are added by the provision, but when you join a 
DC, a lot of the dns entries are only added by the samba_dnsupdate 
script and this is only run when you start samba on the newly joined DC. 
It does print a lot of error messages, but it seems to work anyway.
If you check the dns on the first DC before starting the second, you 
will find missing dns entries, but these should be filled once the 
samba_dnsupdate script is run.

> will I have the same problem again with the next DC I set up?

Again, I am unsure why you are having the problems, so I do not know if 
you will have the same problems. If you have done some thing incorrectly 
and do this again when you join another DC, then you are likely to again 
have problems.

> - why do I still have the login problems?
>

Don't know, can you answer the questions I asked earlier.

Rowland

> Ole
>
>