[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Wed Nov 11 19:40:52 UTC 2015



Am 11.11.2015 um 17:05 schrieb Rowland Penny:
> On 11/11/15 15:20, Ole Traupe wrote:
>> Hi,
>>
>> I tested the AD (Samba4) domain log-in on Windows 7 clients and Linux 
>> member servers with my PDC being offline (plugged the cable). It is 
>> not working so well.
>>
>> On Windows it initially takes forever. It works again after rebooting 
>> the client, which seems to be the easiest solution (can be performed 
>> by the user).
>>
>> On Linux member servers, ssh log-in eventually times out. It works 
>> again, after I manually swap the DNS server order in the 
>> /etc/resolv.conf and the KDC provider order in the /etc/krb5.conf. 
>> But manual intervention is clearly not preferred here.
>
> What have you got in /etc/resolv.conf on your first DC (please don't 
> call it a PDC) , your second DC and a Unix client.

My resolv.conf files are "crossed":

# First_DC:
nameserver IP_OF_SECOND_DC
nameserver IP_OF_FIRST_DC
search my.domain.com

# Second_DC _AND_ member servers:
nameserver IP_OF_FIRST_DC
nameserver IP_OF_SECOND_DC
search my.domain.com


>
> Your /etc/krb5.conf only needs to look like this:
>
> libdefaults]
>         default_realm = SAMDOM.EXAMPLE.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true

It is, on the DCs. On the member server it is like this:

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = MY.DOMAIN.COM
  dns_lookup_realm = false
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true

[realms]
  MY.DOMAIN.COM = {
   kdc = first_dc.my.domain.com
   kdc = second_dc.my.domain.com
   admin_server = first_dc.my.domain.com
   default_domain = my.domain.com
  }

[domain_realm]
  my.domain.com = MY.DOMAIN.COM
  .my.domain.com = MY.DOMAIN.COM

If the First_DC is online, it is working perfectly.

The above "swapping" of the config lines was meant for the member 
server. Without swapping the lines in the resolv.conf I can ping the 
Second_DC (if the First_DC is offline), but it takes 5+ seconds before I 
get a response (DNS related)?. So I figured the issue might be a too 
long timeout.

I am running ntp on all linux machines, and my time is in sync.

Thanks for your help, Rowland!


>
> DNS should find your DCs
>
> Are you running ntp on all the Unix machines?
>
> Rowland
>
>>
>> According to the sanity checks for domain controllers and members 
>> servers on the wiki setup and troubleshooting pages, my domain is 
>> working at its best.
>>
>> Is this due to DNS and kerberos timeouts accumulating? What is the 
>> best way of dealing with this?
>>
>> Best,
>> Ole
>>
>>
>>
>
>




More information about the samba mailing list