[Samba] Domain member cannot authenticate when first domain controller is down
Kris Lou
klou at themusiclink.net
Wed Mar 3 22:58:14 UTC 2021
>
> Experimenting with the resolv.conf options that Louis provided may have
> helped slightly, but a "getent passwd" that I timed took 40 seconds,
> something that is instantaneous when DC1 is online. (This is not a
> large domain.) An SSH login was similarly long.
> I will experiment with the krb5.conf options that you (and Jason)
> provided to see if there is any benefit. I know Rowland teaches only 3
> lines are needed in krb5.conf, so I wonder what his opinion of these
> modifications is.
I had similar problems a while ago, but with SSSD taking a dump if the
first DNS server wasn't available. The changes I suggested are the result
of playing around with that and trying to specify a target KDC, but I don't
know that I'd recommend it as a general client config. (Plus, sssd.)
Your problems sound like a DNS timeout, but whether it's winbind not
dealing with a non-responsive DNS server, or if DC2 is not being returned
as a viable KDC, well, that's the question.
More information about the samba
mailing list