[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

James lingpanda101 at gmail.com
Tue Jan 5 15:36:14 UTC 2016 

Comments inline

On 1/5/2016 6:30 AM, Ole Traupe wrote:
>
>>
>>     I can't recall but are you able to get a packet trace? This may 
>> help further troubleshoot.
>
> I'll look into this. However, Rowland stated that bind9 will be the 
> only solution.
I'm not sure this is 100% correct. I just did a packet trace and I do 
not see any NS or SOA records being requested during authentication. 
This is only from a Windows 7 workstation. I do not have a test member 
server setup to test it's behavior.
>
>
>>
>> Just to recap you do you both servers listed as available DNS servers 
>> on your workstations? As well as your member server? 
>
> Yes, of course. For member servers, this is the content of 
> /etc/resolv.conf:
>
> search my.domain.tld
> nameserver IP_of_1st_DC
> nameserver IP_of_2nd_DC
>
>
>> I made a small tweak but haven't fully tested is adding the following 
>> options to my resolv.conf.
>>
>> cat /etc/resolvconf/resolv.conf.d/tail
>> options timeout:1
>
> Great, this sounds exactly as what I need! However, I tried this: no 
> effect. I created this file and restarted the network service. But I 
> still get long timeouts and can't login via ssh, when I suspend my 1st 
> DC.

I assume you are only testing against your member server?

>
> # cat /etc/resolvconf/resolv.conf.d/tail
> options timeout:1
> options edns0
>
> Or do I need Network Manager for that?
No.
>
>
>> options edns0
>
> What's that for, particularly?
In short read below. For more details read the RFC 2671

"The Domain Name System's wire protocol includes a number of fixed 
fields whose range has been or soon will be exhausted and does not allow 
clients to advertise their capabilities to servers"


>
>
>>
>> timeout:n
>>                      sets the amount of time the resolver will wait 
>> for a response from a remote name server before retrying the query  
>> via  a  different  name
>>                      server.  Measured in seconds, the default is 
>> RES_TIMEOUT (currently 5, see <resolv.h>).  The value for this option 
>> is silently capped to 30.
>>
>> edns0 (since glibc 2.6)
>>                      sets RES_USE_EDNSO in _res.options.  This 
>> enables support for the DNS extensions described in RFC 2671.
>>
>> From what I researched, this is the intended behavior on a Microsoft 
>> Server. Again I can disable my "PDC" and log in from a windows 
>> workstation just fine. It appears for some users after a hour or so 
>> they run into issues 
>
> I thought this was only happening with roaming machines resulting in 
> cached logins.
>
>
>
Windows will cache kerberos information. Below is a brief printout from 
my packet trace.

172.16.232.30    172.16.232.39    TCP    66    56275→88 [SYN] Seq=0 
Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1

You can see above that my workstation(172.16.232.30) is trying to access 
the server on port 88( I took the server down). It doesn't matter what 
you have in your DNS settings. It will pull from the cache if you have 
already authenticated prior. I removed the DNS 172.16.232.39 from my 
workstation and it still attempted to contact this IP. Less then a 
second it will give up and use DNS to find another DC to contact.

172.16.232.30    172.16.232.29    DNS    126    Standard query 0x39dd  
SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local
172.16.232.29    172.16.232.30    DNS    178    Standard query response 
0x39dd  SRV 0 100 88 dc1.domain.local SRV 0 100 88 dc2.domain.local
172.16.232.30    172.16.232.29    DNS    76    Standard query 0x1ccb  A 
dc1.domain.local
172.16.232.29    172.16.232.30    DNS    92    Standard query response 
0x1ccb  A 172.16.232.29
172.16.232.30    172.16.232.29    CLDAP    210    searchRequest(250) 
"<ROOT>" baseObject
172.16.232.29    172.16.232.30    CLDAP    180 searchResEntry(250) 
"<ROOT>" searchResDone(250) success  [1 result]

Above you see my workstation used it's next configured DNS 
IP(172.16.232.29) to contact another DC that it could authenticate 
against. Once it receives these records and responses it moves onto the 
3 way handshake and transmitting of the TGT.

Now I took down my "backup" DC in this instance. But the same rules 
should still apply.



-- 
-James

More information about the samba mailing list