[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
James
lingpanda101 at gmail.com
Wed Jan 6 18:09:35 UTC 2016
On 1/6/2016 10:56 AM, Ole Traupe wrote:
> Ok, I updated resolv.conf as you said. Then I restarted the network
> service on this member server and afterwords suspended the 1st DC.
> Now, kinit gives me again:
>
> "Cannot contact any KDC for realm 'BPN.TU-BERLIN.DE' while getting
> initial credentials"
>
> Ole
>
>
> Am 05.01.2016 um 13:41 schrieb L.P.H. van Belle:
>> For the member servers, to reduce timeouts etc when one DC is down.
>>
>> Change your resolv.conf to :
>> domain internal.domain.tld
>> search internal.domain.tld
>>
>> nameserver IP_DC1
>> nameserver IP_DC2
>>
>> options timeout:2
>> options attempts:2
>> options rotate
>> options edns0
>>
>> see man resolv.conf for the options explained.
>>
>> Ow.. and ..
>>
>> domain and search are NOT exclusive anymore in Debian Jessie and up.
>> At least, i didnt find it anymore.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>>> Verzonden: dinsdag 5 januari 2016 12:30
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
>>> initially fails when PDC is offline
>>>
>>>
>>>> I can't recall but are you able to get a packet trace? This may
>>>> help further troubleshoot.
>>> I'll look into this. However, Rowland stated that bind9 will be the
>>> only
>>> solution.
>>>
>>>
>>>> Just to recap you do you both servers listed as available DNS servers
>>>> on your workstations? As well as your member server?
>>> Yes, of course. For member servers, this is the content of
>>> /etc/resolv.conf:
>>>
>>> search my.domain.tld
>>> nameserver IP_of_1st_DC
>>> nameserver IP_of_2nd_DC
>>>
>>>
>>>> I made a small tweak but haven't fully tested is adding the following
>>>> options to my resolv.conf.
>>>>
>>>> cat /etc/resolvconf/resolv.conf.d/tail
>>>> options timeout:1
>>> Great, this sounds exactly as what I need! However, I tried this: no
>>> effect. I created this file and restarted the network service. But I
>>> still get long timeouts and can't login via ssh, when I suspend my
>>> 1st DC.
>>>
>>> # cat /etc/resolvconf/resolv.conf.d/tail
>>> options timeout:1
>>> options edns0
>>>
>>> Or do I need Network Manager for that?
>>>
>>>
>>>> options edns0
>>> What's that for, particularly?
>>>
>>>
>>>> timeout:n
>>>> sets the amount of time the resolver will wait
>>>> for a response from a remote name server before retrying the query
>>>> via a different name
>>>> server. Measured in seconds, the default is
>>>> RES_TIMEOUT (currently 5, see <resolv.h>). The value for this option
>>>> is silently capped to 30.
>>>>
>>>> edns0 (since glibc 2.6)
>>>> sets RES_USE_EDNSO in _res.options. This enables
>>>> support for the DNS extensions described in RFC 2671.
>>>>
>>>> From what I researched, this is the intended behavior on a Microsoft
>>>> Server. Again I can disable my "PDC" and log in from a windows
>>>> workstation just fine. It appears for some users after a hour or so
>>>> they run into issues
>>> I thought this was only happening with roaming machines resulting in
>>> cached logins.
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>
Ole,
Sorry you are having so many issues. I've tried reading back
through this thread to verify everything that has been covered. Can you
try this command with the "PDC up and down? Reply with your findings.
KRB5_TRACE=/dev/stdout kinit administrator
--
-James
More information about the samba
mailing list