[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Jan 7 10:30:07 UTC 2016 

Yes, it does for me, too. What is an mx record?



Am 07.01.2016 um 09:45 schrieb L.P.H. van Belle:
> Hai Ole,
>
> What does this give you as output?
> host bpn.tu-berlin.de
>
> I assum you dnsdomain name is the same as your REALM_NAME ?
>
> For me it show the 2 ipadresses of my DC's.
> And my MX record.
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James
>> Verzonden: woensdag 6 januari 2016 19:10
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
>> initially fails when PDC is offline
>>
>> On 1/6/2016 10:56 AM, Ole Traupe wrote:
>>> Ok, I updated resolv.conf as you said. Then I restarted the network
>>> service on this member server and afterwords suspended the 1st DC.
>>> Now, kinit gives me again:
>>>
>>> "Cannot contact any KDC for realm 'BPN.TU-BERLIN.DE' while getting
>>> initial credentials"
>>>
>>> Ole
>>>
>>>
>>> Am 05.01.2016 um 13:41 schrieb L.P.H. van Belle:
>>>> For the member servers, to reduce timeouts etc when one DC is down.
>>>>
>>>> Change your resolv.conf to :
>>>> domain internal.domain.tld
>>>> search internal.domain.tld
>>>>
>>>> nameserver IP_DC1
>>>> nameserver IP_DC2
>>>>
>>>> options timeout:2
>>>> options attempts:2
>>>> options rotate
>>>> options edns0
>>>>
>>>> see man resolv.conf for the options explained.
>>>>
>>>> Ow.. and ..
>>>>
>>>> domain and search are NOT exclusive anymore in Debian Jessie and up.
>>>> At least, i didnt find it anymore.
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>>>>> Verzonden: dinsdag 5 januari 2016 12:30
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
>>>>> initially fails when PDC is offline
>>>>>
>>>>>
>>>>>>       I can't recall but are you able to get a packet trace? This may
>>>>>> help further troubleshoot.
>>>>> I'll look into this. However, Rowland stated that bind9 will be the
>>>>> only
>>>>> solution.
>>>>>
>>>>>
>>>>>> Just to recap you do you both servers listed as available DNS servers
>>>>>> on your workstations? As well as your member server?
>>>>> Yes, of course. For member servers, this is the content of
>>>>> /etc/resolv.conf:
>>>>>
>>>>> search my.domain.tld
>>>>> nameserver IP_of_1st_DC
>>>>> nameserver IP_of_2nd_DC
>>>>>
>>>>>
>>>>>> I made a small tweak but haven't fully tested is adding the following
>>>>>> options to my resolv.conf.
>>>>>>
>>>>>> cat /etc/resolvconf/resolv.conf.d/tail
>>>>>> options timeout:1
>>>>> Great, this sounds exactly as what I need! However, I tried this: no
>>>>> effect. I created this file and restarted the network service. But I
>>>>> still get long timeouts and can't login via ssh, when I suspend my
>>>>> 1st DC.
>>>>>
>>>>> # cat /etc/resolvconf/resolv.conf.d/tail
>>>>> options timeout:1
>>>>> options edns0
>>>>>
>>>>> Or do I need Network Manager for that?
>>>>>
>>>>>
>>>>>> options edns0
>>>>> What's that for, particularly?
>>>>>
>>>>>
>>>>>> timeout:n
>>>>>>                        sets the amount of time the resolver will wait
>>>>>> for a response from a remote name server before retrying the query
>>>>>> via  a  different  name
>>>>>>                        server.  Measured in seconds, the default is
>>>>>> RES_TIMEOUT (currently 5, see <resolv.h>).  The value for this option
>>>>>> is silently capped to 30.
>>>>>>
>>>>>> edns0 (since glibc 2.6)
>>>>>>                        sets RES_USE_EDNSO in _res.options. This
>> enables
>>>>>> support for the DNS extensions described in RFC 2671.
>>>>>>
>>>>>>   From what I researched, this is the intended behavior on a Microsoft
>>>>>> Server. Again I can disable my "PDC" and log in from a windows
>>>>>> workstation just fine. It appears for some users after a hour or so
>>>>>> they run into issues
>>>>> I thought this was only happening with roaming machines resulting in
>>>>> cached logins.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>> Ole,
>>
>>       Sorry you are having so many issues. I've tried reading back
>> through this thread to verify everything that has been covered. Can you
>> try this command with the "PDC up and down? Reply with your findings.
>>
>> KRB5_TRACE=/dev/stdout kinit administrator
>>
>> --
>> -James
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list