[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Tue Jan 5 12:41:06 UTC 2016

For the member servers, to reduce timeouts etc when one DC is down.

Change your resolv.conf to : 
domain internal.domain.tld
search internal.domain.tld

nameserver IP_DC1
nameserver IP_DC2

options timeout:2
options attempts:2
options rotate
options edns0

see man resolv.conf for the options explained. 

Ow.. and .. 

domain and search are NOT exclusive anymore in Debian Jessie and up. 
At least, i didnt find it anymore. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> Verzonden: dinsdag 5 januari 2016 12:30
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> initially fails when PDC is offline
> 
> 
> >
> >     I can't recall but are you able to get a packet trace? This may
> > help further troubleshoot.
> 
> I'll look into this. However, Rowland stated that bind9 will be the only
> solution.
> 
> 
> >
> > Just to recap you do you both servers listed as available DNS servers
> > on your workstations? As well as your member server?
> 
> Yes, of course. For member servers, this is the content of
> /etc/resolv.conf:
> 
> search my.domain.tld
> nameserver IP_of_1st_DC
> nameserver IP_of_2nd_DC
> 
> 
> > I made a small tweak but haven't fully tested is adding the following
> > options to my resolv.conf.
> >
> > cat /etc/resolvconf/resolv.conf.d/tail
> > options timeout:1
> 
> Great, this sounds exactly as what I need! However, I tried this: no
> effect. I created this file and restarted the network service. But I
> still get long timeouts and can't login via ssh, when I suspend my 1st DC.
> 
> # cat /etc/resolvconf/resolv.conf.d/tail
> options timeout:1
> options edns0
> 
> Or do I need Network Manager for that?
> 
> 
> > options edns0
> 
> What's that for, particularly?
> 
> 
> >
> > timeout:n
> >                      sets the amount of time the resolver will wait
> > for a response from a remote name server before retrying  the query
> > via  a  different  name
> >                      server.  Measured in seconds, the default is
> > RES_TIMEOUT (currently 5, see <resolv.h>).  The value for this option
> > is silently capped to 30.
> >
> > edns0 (since glibc 2.6)
> >                      sets RES_USE_EDNSO in _res.options.  This enables
> > support for the DNS extensions described in RFC 2671.
> >
> > From what I researched, this is the intended behavior on a Microsoft
> > Server. Again I can disable my "PDC" and log in from a windows
> > workstation just fine. It appears for some users after a hour or so
> > they run into issues
> 
> I thought this was only happening with roaming machines resulting in
> cached logins.
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba