[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Ole Traupe
ole.traupe at tu-berlin.de
Fri Nov 20 12:40:43 UTC 2015
Am 20.11.2015 um 11:54 schrieb mathias dufresne:
> Hi Ole,
>
> I'm still not answering your issue but I come back to speak about TTL.
> Perhaps someone would be able to bring us some light on that.
>
> This morning I'm trying to reproduce the way I do broke my test AD
> domain. This leads me to deal with SOA record (I broke my test AD
> seizing FSMO roles before removing old FSMO owner, SOA was not changed
> during that process and I suspect this was one of the point leading to
> all issues this test domain has)
>
> Anyway:
> samba-tool dns query m700 samba.domain.tld samba.domain.tld SOA -k yes
> Name=, Records=1, Children=0
> SOA: serial=1, refresh=900, retry=600, expire=86400,
> *minttl=3600*, ns=m700.samba.domain.tld.,
> email=hostmaster.samba.domain.tld. (flags=600000f0, serial=1, *ttl=3600*)
> Name=_msdcs, Records=0, Children=0
> Name=_sites, Records=0, Children=1
> Name=_tcp, Records=0, Children=4
> Name=_udp, Records=0, Children=2
> Name=DomainDnsZones, Records=0, Children=2
> Name=ForestDnsZones, Records=0, Children=2
> Name=m700, Records=0, Children=0
>
> This shows us TTL is in fact equal to minimumttl inside AD DB.
Not for me:
SOA: serial=29, refresh=180, retry=600, expire=86400, minttl=180,
ns=DC2.my.domain.tld., email=hostmaster.my.domain.tld. (flags=600000f0,
serial=0, ttl=3600)
>
> According to
> http://stackoverflow.com/questions/20297531/meaning-of-the-five-fields-of-the-answer-section-in-dig-query
> the second member of dig's answer section is TTL.
>
> dig -t soa samba.domain.tld
> ...
> samba.domain.tld. *3593* IN SOA m700.samba.domain.tld.
> hostmaster.samba.domain.tld. 1 900 600 86400 3600
> ...
> When yesterday the same request gave the following answer:
>
> ...
> samba.domain.tld. *1715* IN SOA DC1.samba.domain.tld. 62 900 600
> 86400 3600
> ...
>
> So I ran several that same command and each the value displayed as
> second member (here 1715 or 3593) was descreased by the same amount of
> second as the time between my command launchs.
>
> It seems this shown TTL is declared TTL (or minttl) minus the amount
> of seconds since last renewal of this TTL. No idae why this behaviour.
> If someone knows, I would be pleased to learn :)
Yes, I thought so. This is "remaining TTL" for you.
Interestingly, for me this value is always constant and equals 1h, no
matter what.
ANYWAYS, I would like to approach from a different direction:
If my first DC is offline, a ping on any of my domain machines takes 5+
seconds to resolve. I figure that my logon problems reflect multiple
such timeouts during the logon process accumulating to a total duration
not accepted by the unix logon mechanism.
If there would be ANY way to reduce the time (to 1 s or something) a
machines waits until it finally accepts that a DNS server just won't
respond and goes over to the next one... - that actually might solve the
issue.
Is there an option for this on unix machines?
Ole
More information about the samba
mailing list