[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
L.P.H. van Belle
belle at bazuin.nl
Thu Jan 7 11:00:04 UTC 2016
Ok
.. maybe if seen something, dont know for sure, so Rowland, what do you think about below.
Post the result of :
klist -e -k /etc/krb5.keytab
i see in your logs.
AS key obtained for encrypted timestamp: aes256-cts/000A
In my setup, i dont have aes256-cts available in my keytab, do you?
You can try adding this, to krb5.conf.
; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES
; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
And IF your firewalling port 53, make sure you have 53/udp and 53/tcp open.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> Verzonden: donderdag 7 januari 2016 11:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> initially fails when PDC is offline
>
> Please don't post any sensitive information - even if I forget
> sanitizing it.
>
> This is probably the reason behind it: Our corporate DNS servers hold
> info about our machines. This works together with DHCP. By registering
> the machines I simply prevent any IP conflicts. My domain DNS has
> nothing to do with it. In my domain members (Win clients and Linux
> servers) only my DCs are set as DNS servers and these members don't use
> DHCP.
>
> Within my subnet, I get exactly the same as Rowland reported below.
>
> Ole
>
>
> Am 07.01.2016 um 10:28 schrieb L.P.H. van Belle:
> > Yes, thats exacly what ole must test.
> >
> > And optionaly the result of :
> > dig A internal.domain.tld @IP_DC1
> > dig A internal.domain.tld @IP_DC2
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> >> Verzonden: donderdag 7 januari 2016 10:20
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> >> initially fails when PDC is offline
> >>
> >> On 07/01/16 08:45, L.P.H. van Belle wrote:
> >>> Hai Ole,
> >>>
> >>> What does this give you as output?
> >>> host bpn.tu-berlin.de
> >>>
> >>> I assum you dnsdomain name is the same as your REALM_NAME ?
> >>>
> >>> For me it show the 2 ipadresses of my DC's.
> >>> And my MX record.
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >> Hi Louis and Ole, Just for interest I ran 'host bpn.tu-berlin.de' in a
> >> terminal, all I get back is:
> >>
> >> bpn.tu-berlin.de mail is handled by 100 mail.tu-berlin.de.
> >>
> >> No NS records
> >>
> >> Yet when I search on my dns/kerberos domain:
> >>
> >> host samdom.example.com
> >> samdom.example.com has address 192.168.0.6
> >> samdom.example.com has address 192.168.0.5
> >>
> >> Rowland
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list