[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Ole Traupe ole.traupe at tu-berlin.de
Thu Jan 7 11:24:39 UTC 2016 


Am 07.01.2016 um 12:00 schrieb L.P.H. van Belle:
> Ok
>
> .. maybe if seen something, dont know for sure, so Rowland, what do you think about below.
>
>
> Post the result of :
>
> klist -e -k /etc/krb5.keytab

Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 host/server1.my.domain.tld at my.domain.tld (des-cbc-crc)
    1 host/server1.my.domain.tld at my.domain.tld (des-cbc-md5)
    1 host/server1.my.domain.tld at my.domain.tld (aes128-cts-hmac-sha1-96)
    1 host/server1.my.domain.tld at my.domain.tld (aes256-cts-hmac-sha1-96)
    1 host/server1.my.domain.tld at my.domain.tld (arcfour-hmac)
    1 host/server1 at my.domain.tld (des-cbc-crc)
    1 host/server1 at my.domain.tld (des-cbc-md5)
    1 host/server1 at my.domain.tld (aes128-cts-hmac-sha1-96)
    1 host/server1 at my.domain.tld (aes256-cts-hmac-sha1-96)
    1 host/server1 at my.domain.tld (arcfour-hmac)
    1 server1$@my.domain.tld (des-cbc-crc)
    1 server1$@my.domain.tld (des-cbc-md5)
    1 server1$@my.domain.tld (aes128-cts-hmac-sha1-96)
    1 server1$@my.domain.tld (aes256-cts-hmac-sha1-96)
    1 server1$@my.domain.tld (arcfour-hmac)

What difference does it make for 1st and 2nd DC?

>
> i see in your logs.
> AS key obtained for encrypted timestamp: aes256-cts/000A
>
> In my setup, i dont have aes256-cts available in my keytab, do you?
>
> You can try adding this, to krb5.conf.
>
> ; for Windows 2003
> ;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
> ;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
>
> ; for Windows 2008 with AES
> ;    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> ;    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> ;    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Why, what will it do? I don't have any Windows servers...

>
> And IF your firewalling port 53, make sure you have 53/udp and 53/tcp open.
>
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>> Verzonden: donderdag 7 januari 2016 11:48
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
>> initially fails when PDC is offline
>>
>> Please don't post any sensitive information - even if I forget
>> sanitizing it.
>>
>> This is probably the reason behind it: Our corporate DNS servers hold
>> info about our machines. This works together with DHCP. By registering
>> the machines I simply prevent any IP conflicts. My domain DNS has
>> nothing to do with it. In my domain members (Win clients and Linux
>> servers) only my DCs are set as DNS servers and these members don't use
>> DHCP.
>>
>> Within my subnet, I get exactly the same as Rowland reported below.
>>
>> Ole
>>
>>
>> Am 07.01.2016 um 10:28 schrieb L.P.H. van Belle:
>>> Yes, thats exacly what ole must test.
>>>
>>> And optionaly the result of :
>>> dig A internal.domain.tld @IP_DC1
>>> dig A internal.domain.tld @IP_DC2
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
>>>> Verzonden: donderdag 7 januari 2016 10:20
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
>>>> initially fails when PDC is offline
>>>>
>>>> On 07/01/16 08:45, L.P.H. van Belle wrote:
>>>>> Hai Ole,
>>>>>
>>>>> What does this give you as output?
>>>>> host bpn.tu-berlin.de
>>>>>
>>>>> I assum you dnsdomain name is the same as your REALM_NAME ?
>>>>>
>>>>> For me it show the 2 ipadresses of my DC's.
>>>>> And my MX record.
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>> Hi Louis and Ole, Just for interest I ran 'host bpn.tu-berlin.de' in a
>>>> terminal, all I get back is:
>>>>
>>>> bpn.tu-berlin.de mail is handled by 100 mail.tu-berlin.de.
>>>>
>>>> No NS records
>>>>
>>>> Yet when I search on my dns/kerberos domain:
>>>>
>>>> host samdom.example.com
>>>> samdom.example.com has address 192.168.0.6
>>>> samdom.example.com has address 192.168.0.5
>>>>
>>>> Rowland
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list