[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Wed Jan 6 15:56:26 UTC 2016

Ok, I updated resolv.conf as you said. Then I restarted the network 
service on this member server and afterwords suspended the 1st DC. Now, 
kinit gives me again:

"Cannot contact any KDC for realm 'BPN.TU-BERLIN.DE' while getting 
initial credentials"


Am 05.01.2016 um 13:41 schrieb L.P.H. van Belle:
> For the member servers, to reduce timeouts etc when one DC is down.
> Change your resolv.conf to :
> domain internal.domain.tld
> search internal.domain.tld
> nameserver IP_DC1
> nameserver IP_DC2
> options timeout:2
> options attempts:2
> options rotate
> options edns0
> see man resolv.conf for the options explained.
> Ow.. and ..
> domain and search are NOT exclusive anymore in Debian Jessie and up.
> At least, i didnt find it anymore.
> Greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>> Verzonden: dinsdag 5 januari 2016 12:30
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
>> initially fails when PDC is offline
>>>      I can't recall but are you able to get a packet trace? This may
>>> help further troubleshoot.
>> I'll look into this. However, Rowland stated that bind9 will be the only
>> solution.
>>> Just to recap you do you both servers listed as available DNS servers
>>> on your workstations? As well as your member server?
>> Yes, of course. For member servers, this is the content of
>> /etc/resolv.conf:
>> search my.domain.tld
>> nameserver IP_of_1st_DC
>> nameserver IP_of_2nd_DC
>>> I made a small tweak but haven't fully tested is adding the following
>>> options to my resolv.conf.
>>> cat /etc/resolvconf/resolv.conf.d/tail
>>> options timeout:1
>> Great, this sounds exactly as what I need! However, I tried this: no
>> effect. I created this file and restarted the network service. But I
>> still get long timeouts and can't login via ssh, when I suspend my 1st DC.
>> # cat /etc/resolvconf/resolv.conf.d/tail
>> options timeout:1
>> options edns0
>> Or do I need Network Manager for that?
>>> options edns0
>> What's that for, particularly?
>>> timeout:n
>>>                       sets the amount of time the resolver will wait
>>> for a response from a remote name server before retrying  the query
>>> via  a  different  name
>>>                       server.  Measured in seconds, the default is
>>> RES_TIMEOUT (currently 5, see <resolv.h>).  The value for this option
>>> is silently capped to 30.
>>> edns0 (since glibc 2.6)
>>>                       sets RES_USE_EDNSO in _res.options.  This enables
>>> support for the DNS extensions described in RFC 2671.
>>>  From what I researched, this is the intended behavior on a Microsoft
>>> Server. Again I can disable my "PDC" and log in from a windows
>>> workstation just fine. It appears for some users after a hour or so
>>> they run into issues
>> I thought this was only happening with roaming machines resulting in
>> cached logins.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list