[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
ole.traupe at tu-berlin.de
Wed Jan 6 15:56:26 UTC 2016
Ok, I updated resolv.conf as you said. Then I restarted the network
service on this member server and afterwords suspended the 1st DC. Now,
kinit gives me again:
"Cannot contact any KDC for realm 'BPN.TU-BERLIN.DE' while getting
Am 05.01.2016 um 13:41 schrieb L.P.H. van Belle:
> For the member servers, to reduce timeouts etc when one DC is down.
> Change your resolv.conf to :
> domain internal.domain.tld
> search internal.domain.tld
> nameserver IP_DC1
> nameserver IP_DC2
> options timeout:2
> options attempts:2
> options rotate
> options edns0
> see man resolv.conf for the options explained.
> Ow.. and ..
> domain and search are NOT exclusive anymore in Debian Jessie and up.
> At least, i didnt find it anymore.
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>> Verzonden: dinsdag 5 januari 2016 12:30
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
>> initially fails when PDC is offline
>>> I can't recall but are you able to get a packet trace? This may
>>> help further troubleshoot.
>> I'll look into this. However, Rowland stated that bind9 will be the only
>>> Just to recap you do you both servers listed as available DNS servers
>>> on your workstations? As well as your member server?
>> Yes, of course. For member servers, this is the content of
>> search my.domain.tld
>> nameserver IP_of_1st_DC
>> nameserver IP_of_2nd_DC
>>> I made a small tweak but haven't fully tested is adding the following
>>> options to my resolv.conf.
>>> cat /etc/resolvconf/resolv.conf.d/tail
>>> options timeout:1
>> Great, this sounds exactly as what I need! However, I tried this: no
>> effect. I created this file and restarted the network service. But I
>> still get long timeouts and can't login via ssh, when I suspend my 1st DC.
>> # cat /etc/resolvconf/resolv.conf.d/tail
>> options timeout:1
>> options edns0
>> Or do I need Network Manager for that?
>>> options edns0
>> What's that for, particularly?
>>> sets the amount of time the resolver will wait
>>> for a response from a remote name server before retrying the query
>>> via a different name
>>> server. Measured in seconds, the default is
>>> RES_TIMEOUT (currently 5, see <resolv.h>). The value for this option
>>> is silently capped to 30.
>>> edns0 (since glibc 2.6)
>>> sets RES_USE_EDNSO in _res.options. This enables
>>> support for the DNS extensions described in RFC 2671.
>>> From what I researched, this is the intended behavior on a Microsoft
>>> Server. Again I can disable my "PDC" and log in from a windows
>>> workstation just fine. It appears for some users after a hour or so
>>> they run into issues
>> I thought this was only happening with roaming machines resulting in
>> cached logins.
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba