[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Harry Jede walk2sun at arcor.de
Thu Nov 12 12:26:00 UTC 2015 

On 12:55:46 wrote Ole Traupe:
> Am 12.11.2015 um 11:22 schrieb Harry Jede:
> > On 11:06:29 wrote Ole Traupe:
> >> Hi,
> >> 
> >> I tested the AD (Samba4) domain log-in on Windows 7 clients and
> >> Linux member servers with my PDC being offline (plugged the
> >> cable). It is not working so well.
> >> 
> >> On Windows it initially takes forever. It works again after
> >> rebooting the client, which seems to be the easiest solution (can
> >> be performed by the user).
> >> 
> >> On Linux member servers, ssh log-in eventually times out. It works
> >> again, after I manually swap the DNS server order in the
> >> /etc/resolv.conf and the KDC provider order in the /etc/krb5.conf.
> >> But manual intervention is clearly not preferred here.
> >> 
> >> According to the sanity checks for domain controllers and members
> >> servers on the wiki setup and troubleshooting pages, my domain is
> >> working at its best.
> >> 
> >> Is this due to DNS and kerberos timeouts accumulating?
> > 
> > It is DNS related.
> > 
> >> What is the best way of dealing with this?
> > 
> > The *best way* is a HA solution for your DNS Servers, but its
> > expensive.
> > 
> > The DNS client (resolver) caches the srv records for 15 minutes aka
> > 900 seconds.
> > 
> > ipconfig /flushdns drops the cache. Reboot does the same.
> 
> Will try this, thank you!
> 
> > On server side you may set shorter TTL for the server records, but
> > then you have more DNS traffic. On small netwoks (sites up to 20
> > clients, no wifi) I have good experience with a TTL of 180.
> 
> Ok. So I do this on my Samba DCs (my domain DNS servers), and this
> will affect Windows and Linux domain clients/member servers
> likewise?
Theoretically yes. Assume you have a imap or web server installed on 
your DC ( bad idea). I am pretty sure that some mail clients and 
browsers have their own cache for ip adressess. So the a records may be 
cached on application level. How do this caches works?

The soa record should only be used by the resolver libs.

The srv txt records are used by many apps. ie the netlogon process. 
Netlogon picks randomly one dc, if more than one record exist for a 
site. If this dc is down or unreachable, netlogon try this dc until ttl 
times out and then try the next one. This is at least true for windows 
xp, not for 2000. Should be true for all current windows versions.

-- 

Gruss
	Harry Jede

More information about the samba mailing list