Ole Traupe
2015-Dec-09 16:33 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
> - But when I try to ssh to a member server, it still takes forever, > and a 'kinit' on a member server gives this: > "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while > getting initial credentials" > > > My /etc/krb5.conf looks like this (following your suggestions, > Rowland, as everything else are defaults): > > [libdefaults] > default_realm = MY.DOMAIN.TLD > > And my /etc/resolv.conf is this: > > search my.domain.tld > nameserver IP_of_1st_DC > nameserver IP_of_2nd_DCAny idea why I still get this when trying to log on to a member server while the first DC is down? # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while getting initial credentials Ole
James
2015-Dec-09 16:50 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 12/9/2015 11:33 AM, Ole Traupe wrote:> >> - But when I try to ssh to a member server, it still takes forever, >> and a 'kinit' on a member server gives this: >> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >> getting initial credentials" >> >> >> My /etc/krb5.conf looks like this (following your suggestions, >> Rowland, as everything else are defaults): >> >> [libdefaults] >> default_realm = MY.DOMAIN.TLD >> >> And my /etc/resolv.conf is this: >> >> search my.domain.tld >> nameserver IP_of_1st_DC >> nameserver IP_of_2nd_DC > > Any idea why I still get this when trying to log on to a member server > while the first DC is down? > > # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while > getting initial credentials > > Ole > > >Ole, Can you try a few things? All on your member server. What is the output of testparm | grep "name resolve order" kdestroy -A kinit administrator at MY.DOMAIN.TLD -V -- -James
James
2015-Dec-09 17:03 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 12/9/2015 11:33 AM, Ole Traupe wrote:> >> - But when I try to ssh to a member server, it still takes forever, >> and a 'kinit' on a member server gives this: >> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >> getting initial credentials" >> >> >> My /etc/krb5.conf looks like this (following your suggestions, >> Rowland, as everything else are defaults): >> >> [libdefaults] >> default_realm = MY.DOMAIN.TLD >> >> And my /etc/resolv.conf is this: >> >> search my.domain.tld >> nameserver IP_of_1st_DC >> nameserver IP_of_2nd_DC > > Any idea why I still get this when trying to log on to a member server > while the first DC is down? > > # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while > getting initial credentials > > Ole > > >Ole, I was trying to look back through your posts so excuse me if you have answered this. What was your original krb.conf file contents? A few things that may work is to specify the kdc and not rely on dns. for instance. [libdefaults] default_realm = MY.DOMAIN.TLD dns_lookup_kdc = false dns_lookup_realm = false [realms] MY.DOMAIN.TLD = { kdc = IP of First DC kdc = IP of Second DC } -- -James
Rowland penny
2015-Dec-09 17:16 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 09/12/15 17:03, James wrote:> On 12/9/2015 11:33 AM, Ole Traupe wrote: >> >>> - But when I try to ssh to a member server, it still takes forever, >>> and a 'kinit' on a member server gives this: >>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>> getting initial credentials" >>> >>> >>> My /etc/krb5.conf looks like this (following your suggestions, >>> Rowland, as everything else are defaults): >>> >>> [libdefaults] >>> default_realm = MY.DOMAIN.TLD >>> >>> And my /etc/resolv.conf is this: >>> >>> search my.domain.tld >>> nameserver IP_of_1st_DC >>> nameserver IP_of_2nd_DC >> >> Any idea why I still get this when trying to log on to a member >> server while the first DC is down? >> >> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >> getting initial credentials >> >> Ole >> >> >> > Ole, > > I was trying to look back through your posts so excuse me if you > have answered this. What was your original krb.conf file contents? A > few things that may work is to specify the kdc and not rely on dns. > for instance. > > [libdefaults] > default_realm = MY.DOMAIN.TLD > dns_lookup_kdc = false > dns_lookup_realm = false > > [realms] > MY.DOMAIN.TLD = { > kdc = IP of First DC > kdc = IP of Second DC > } >If you have to do that, then there is something wrong with your dns and you need to fix this, dns is an important part of AD and really needs to work correctly. I have been doing some testing with dns and with the internal dns server, even if you add another NS to the SOA record, you only have one NS. It seems the only way to get each DC to think it is a NS, is to use bind9. Rowland
L.P.H. van Belle
2015-Dec-10 07:32 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
> I have been doing some testing with dns and with the internal dns > server, even if you add another NS to the SOA record, you only have one > NS. It seems the only way to get each DC to think it is a NS, is to use > bind9. >Hai A good to know, some versions of samba, i dont know which do have this problem also if u use bind9_dlz. So, my question to the readers, if you use samba4 DC with bind9_DLZ and you have 2 or more DC's, check all you zones of you have also the same number of NS servers. I know from my install, i had only 1 DC as NS record, i manualy added the second the zones. Greetz, Louis
Ole Traupe
2015-Dec-10 13:05 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
>> Any idea why I still get this when trying to log on to a member >> server while the first DC is down? >> >> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >> getting initial credentials >> >> Ole >> >> >> > Ole, > > Can you try a few things? All on your member server. What is the > output of > > testparm | grep "name resolve order"There is no such line.> > kdestroy -A > > kinit administrator at MY.DOMAIN.TLD -VUsing default cache: /tmp/krb5cc_0 Using principal: administrator at MY.DOMAIN.TLD Password for administrator at MY.DOMAIN.TLD: Authenticated to Kerberos v5
Ole Traupe
2015-Dec-10 13:15 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
>> > Ole, > > I was trying to look back through your posts so excuse me if you > have answered this. What was your original krb.conf file contents? A > few things that may work is to specify the kdc and not rely on dns. > for instance. > > [libdefaults] > default_realm = MY.DOMAIN.TLD > dns_lookup_kdc = false > dns_lookup_realm = false > > [realms] > MY.DOMAIN.TLD = { > kdc = IP of First DC > kdc = IP of Second DC > } >Here is the content of /etc/krb5.conf (commented sections were all effective, initially): [root at server me]# cat /etc/krb5.conf #[logging] # default = FILE:/var/log/krb5libs.log # kdc = FILE:/var/log/krb5kdc.log # admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MY.DOMAIN.TLD # dns_lookup_realm = false # dns_lookup_kdc = true # ticket_lifetime = 24h # renew_lifetime = 7d # forwardable = true #[realms] # MY.DOMAIN.TLD = { # kdc = dc1.my.domain.tld # kdc = dc2.my.domain.tld # admin_server = dc1.my.domain.tld # default_domain = my.domain.tld # } #[domain_realm] # my.domain.tld = MY.DOMAIN.TLD # .my.domain.tld = MY.DOMAIN.TLD Initially, when the First_DC was offline and I swapped the 'kdc' server lines in [realms] in krb5.conf and the 'nameserver' lines in resolv.conf (and restarted the network service; not sure whether the latter was actually needed), I could kinit on the member server.
Ole Traupe
2015-Dec-10 13:33 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 10.12.2015 um 14:05 schrieb James:> On 12/10/2015 7:56 AM, Ole Traupe wrote: >> >>>> Any idea why I still get this when trying to log on to a member >>>> server while the first DC is down? >>>> >>>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>>> getting initial credentials >>>> >>>> Ole >>>> >>>> >>>> >>> Ole, >>> >>> Can you try a few things? All on your member server. What is the >>> output of >>> >>> testparm | grep "name resolve order" >> >> There is no such line. >> >> >>> >>> kdestroy -A >>> >>> kinit administrator at MY.DOMAIN.TLD -V >> >> Using default cache: /tmp/krb5cc_0 >> Using principal: administrator at MY.DOMAIN.TLD >> Password for administrator at MY.DOMAIN.TLD: >> Authenticated to Kerberos v5 >> >> > Sorry. The command is testparm -v | grep "name resolve order".name resolve order = lmhosts wins host bcast> > It looks like your kinit succeed? >yes
Possibly Parallel Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline