[Samba] Domain member cannot authenticate when first domain controller is down

Kris Lou klou at themusiclink.net
Wed Mar 3 22:58:14 UTC 2021

> Experimenting with the resolv.conf options that Louis provided may have
> helped slightly, but a "getent passwd" that I timed took 40 seconds,
> something that is instantaneous when DC1 is online.  (This is not a
> large domain.)  An SSH login was similarly long.
> I will experiment with the krb5.conf options that you (and Jason)
> provided to see if there is any benefit.  I know Rowland teaches only 3
> lines are needed in krb5.conf, so I wonder what his opinion of these
> modifications is.

I had similar problems a while ago, but with SSSD taking a dump if the
first DNS server wasn't available.  The changes I suggested are the result
of playing around with that and trying to specify a target KDC, but I don't
know that I'd recommend it as a general client config.  (Plus, sssd.)

Your problems sound like a DNS timeout, but whether it's winbind not
dealing with a non-responsive DNS server, or if DC2 is not being returned
as a viable KDC, well, that's the question.

More information about the samba mailing list