[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

L.P.H. van Belle belle at bazuin.nl
Thu Jan 7 08:45:47 UTC 2016 

Hai Ole, 

What does this give you as output? 
host bpn.tu-berlin.de 

I assum you dnsdomain name is the same as your REALM_NAME ? 

For me it show the 2 ipadresses of my DC's. 
And my MX record. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James
> Verzonden: woensdag 6 januari 2016 19:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> initially fails when PDC is offline
> 
> On 1/6/2016 10:56 AM, Ole Traupe wrote:
> > Ok, I updated resolv.conf as you said. Then I restarted the network
> > service on this member server and afterwords suspended the 1st DC.
> > Now, kinit gives me again:
> >
> > "Cannot contact any KDC for realm 'BPN.TU-BERLIN.DE' while getting
> > initial credentials"
> >
> > Ole
> >
> >
> > Am 05.01.2016 um 13:41 schrieb L.P.H. van Belle:
> >> For the member servers, to reduce timeouts etc when one DC is down.
> >>
> >> Change your resolv.conf to :
> >> domain internal.domain.tld
> >> search internal.domain.tld
> >>
> >> nameserver IP_DC1
> >> nameserver IP_DC2
> >>
> >> options timeout:2
> >> options attempts:2
> >> options rotate
> >> options edns0
> >>
> >> see man resolv.conf for the options explained.
> >>
> >> Ow.. and ..
> >>
> >> domain and search are NOT exclusive anymore in Debian Jessie and up.
> >> At least, i didnt find it anymore.
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >>
> >>> -----Oorspronkelijk bericht-----
> >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> >>> Verzonden: dinsdag 5 januari 2016 12:30
> >>> Aan: samba at lists.samba.org
> >>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> >>> initially fails when PDC is offline
> >>>
> >>>
> >>>>      I can't recall but are you able to get a packet trace? This may
> >>>> help further troubleshoot.
> >>> I'll look into this. However, Rowland stated that bind9 will be the
> >>> only
> >>> solution.
> >>>
> >>>
> >>>> Just to recap you do you both servers listed as available DNS servers
> >>>> on your workstations? As well as your member server?
> >>> Yes, of course. For member servers, this is the content of
> >>> /etc/resolv.conf:
> >>>
> >>> search my.domain.tld
> >>> nameserver IP_of_1st_DC
> >>> nameserver IP_of_2nd_DC
> >>>
> >>>
> >>>> I made a small tweak but haven't fully tested is adding the following
> >>>> options to my resolv.conf.
> >>>>
> >>>> cat /etc/resolvconf/resolv.conf.d/tail
> >>>> options timeout:1
> >>> Great, this sounds exactly as what I need! However, I tried this: no
> >>> effect. I created this file and restarted the network service. But I
> >>> still get long timeouts and can't login via ssh, when I suspend my
> >>> 1st DC.
> >>>
> >>> # cat /etc/resolvconf/resolv.conf.d/tail
> >>> options timeout:1
> >>> options edns0
> >>>
> >>> Or do I need Network Manager for that?
> >>>
> >>>
> >>>> options edns0
> >>> What's that for, particularly?
> >>>
> >>>
> >>>> timeout:n
> >>>>                       sets the amount of time the resolver will wait
> >>>> for a response from a remote name server before retrying the query
> >>>> via  a  different  name
> >>>>                       server.  Measured in seconds, the default is
> >>>> RES_TIMEOUT (currently 5, see <resolv.h>).  The value for this option
> >>>> is silently capped to 30.
> >>>>
> >>>> edns0 (since glibc 2.6)
> >>>>                       sets RES_USE_EDNSO in _res.options. This
> enables
> >>>> support for the DNS extensions described in RFC 2671.
> >>>>
> >>>>  From what I researched, this is the intended behavior on a Microsoft
> >>>> Server. Again I can disable my "PDC" and log in from a windows
> >>>> workstation just fine. It appears for some users after a hour or so
> >>>> they run into issues
> >>> I thought this was only happening with roaming machines resulting in
> >>> cached logins.
> >>>
> >>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
> >
> Ole,
> 
>      Sorry you are having so many issues. I've tried reading back
> through this thread to verify everything that has been covered. Can you
> try this command with the "PDC up and down? Reply with your findings.
> 
> KRB5_TRACE=/dev/stdout kinit administrator
> 
> --
> -James
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list