[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Dec 17 15:48:40 UTC 2015

Am 17.12.2015 um 16:21 schrieb Rowland penny:
> On 17/12/15 14:46, Ole Traupe wrote:
>> Am 17.12.2015 um 14:32 schrieb Rowland penny:
>>> On 17/12/15 12:50, Ole Traupe wrote:
>>>> I somehow doubt that. Still it seems that no one here has an idea 
>>>> of why log-on from member servers isn't working properly (for me). 
>>>> However, in the meantime I have created all the necessary DNS 
>>>> records. This can't be the issue anymore.
>>> If you are sure that you now have all the dns records for both DCs 
>>> in AD, then I would agree that this is probably not the issue (there 
>>> is just the 0.1% chance you are still missing something)
>>> Can your domain members find the DCs ?
>>> Do your domain members have a FQDN ?
>>> Are they joined to the domain ?
>>> What have got in smb.conf on the domain members ?
>>> You may have posted all or some of this before, but lets start again.
>>> Rowland
>> Ok, there were still records missing (according to "samba_dnsupdate 
>> --verbose"). I added them manually, and now I get "No DNS updates 
>> needed" on both my DCs.
>> Still/again: "kinit" takes more than a minute on member servers, and 
>> login via ssh is impossible now (times out eventually).
>> Some questions:
>> - what about that corrupted record I mentioned earlier, how can I get 
>> rid if it?
> Have you tried using samba-tool ?

That's what I posted earlier:

"I accidentally  created a record with a false port. I then updated the 
port but was afraid of any consequences. So I deleted that record again 
and wanted to re-create it. But I can't: "The record already exists." 
Although I can't see it in the gui. And I also can't delete it (EDIT: 
although this worked with the corresponding record for the 1st DC; so 
the command is ok):

# samba-tool dns delete DC1 _msdcs.my.domain.tld 
_ldap._tcp.gc._msdcs.my.domain.tld SRV "dc2.my.domain.tld 3268 0 100"
ERROR: Record does not exist

But it can be found with dig:

# dig @DC1 _ldap._tcp.gc._msdcs.my.domain.tld SRV

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> @DC1 
_ldap._tcp.gc._msdcs.my.domain.tld SRV
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28612
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;_ldap._tcp.gc._msdcs.my.domain.tld. IN SRV

_ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 
_ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 

;; Query time: 1 msec
;; SERVER: IP_of_1stDC#53(IP_of_1stDC)
;; WHEN: Thu Dec 17 13:28:06 2015
;; MSG SIZE  rcvd: 103"

>> - why does "samba_dnsupdate --verbose" on DC1 check records only 
>> against 1 instance (record from DC1), while the same command issued 
>> on DC2 checks records against both existing instances (records from 
>> DC1 and DC2)?
> Don't know, if you understand python, you could try looking at the 
> script.

Does it behave the same way on your 1st (one check) and 2nd DC (two checks)?

>> - why does the dns update fail in the first place? 
> I am not sure that it does fail. When you provision the first DC, all 
> the required dns entries are added by the provision, but when you join 
> a DC, a lot of the dns entries are only added by the samba_dnsupdate 
> script and this is only run when you start samba on the newly joined 
> DC. It does print a lot of error messages, but it seems to work anyway.
> If you check the dns on the first DC before starting the second, you 
> will find missing dns entries, but these should be filled once the 
> samba_dnsupdate script is run.

And this is what is not happening here. I can't say whether it is run 
when samba restarts, but when run manually, it fails. That's why I 
created the records by hand.

>> will I have the same problem again with the next DC I set up?
> Again, I am unsure why you are having the problems, so I do not know 
> if you will have the same problems. If you have done some thing 
> incorrectly and do this again when you join another DC, then you are 
> likely to again have problems.
>> - why do I still have the login problems?
> Don't know, can you answer the questions I asked earlier.
> Rowland
>> Ole

More information about the samba mailing list