[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland Penny rowlandpenny241155 at gmail.com
Wed Nov 11 16:05:35 UTC 2015

On 11/11/15 15:20, Ole Traupe wrote:
> Hi,
> I tested the AD (Samba4) domain log-in on Windows 7 clients and Linux 
> member servers with my PDC being offline (plugged the cable). It is 
> not working so well.
> On Windows it initially takes forever. It works again after rebooting 
> the client, which seems to be the easiest solution (can be performed 
> by the user).
> On Linux member servers, ssh log-in eventually times out. It works 
> again, after I manually swap the DNS server order in the 
> /etc/resolv.conf and the KDC provider order in the /etc/krb5.conf. But 
> manual intervention is clearly not preferred here.

What have you got in /etc/resolv.conf on your first DC (please don't 
call it a PDC) , your second DC and a Unix client.

Your /etc/krb5.conf only needs to look like this:

         default_realm = SAMDOM.EXAMPLE.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true

DNS should find your DCs

Are you running ntp on all the Unix machines?


> According to the sanity checks for domain controllers and members 
> servers on the wiki setup and troubleshooting pages, my domain is 
> working at its best.
> Is this due to DNS and kerberos timeouts accumulating? What is the 
> best way of dealing with this?
> Best,
> Ole

More information about the samba mailing list