samba - Dec 2015 - Authentication to Secondary Domain Controller initially fails when PDC is offline

Hai Ole, 

Can you run on the member where you logged in. 

host -t SRV _ldap._tcp.samdom.example.com.
host -t SRV _kerberos._udp.samdom.example.com. 

host -t A dc1.samdom.example.com.
host -t A dc2.samdom.example.com.

and again with 
search my.domain.tld
nameserver IP_of_2st_DC
nameserver IP_of_1nd_DC

looks ok to me sofare. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> Verzonden: woensdag 9 december 2015 17:33
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> initially fails when PDC is offline
> 
> 
> > - But when I try to ssh to a member server, it still takes forever,
> > and a 'kinit' on a member server gives this:
> >   "kinit: Cannot contact any KDC for realm
'MY.DOMAIN.TLD' while
> > getting initial credentials"
> >
> >
> > My /etc/krb5.conf looks like this (following your suggestions,
> > Rowland, as everything else are defaults):
> >
> > [libdefaults]
> >  default_realm = MY.DOMAIN.TLD
> >
> > And my /etc/resolv.conf is this:
> >
> > search my.domain.tld
> > nameserver IP_of_1st_DC
> > nameserver IP_of_2nd_DC
> 
> Any idea why I still get this when trying to log on to a member server
> while the first DC is down?
> 
> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while
getting
> initial credentials
> 
> Ole
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Am 09.12.2015 um 17:53 schrieb L.P.H. van Belle:
> Hai Ole,
>
> Can you run on the member where you logged in.
>
> host -t SRV _ldap._tcp.samdom.example.com.
> host -t SRV _kerberos._udp.samdom.example.com.
>
> host -t A dc1.samdom.example.com.
> host -t A dc2.samdom.example.com.
>
> and again with
> search my.domain.tld
> nameserver IP_of_2st_DC
> nameserver IP_of_1nd_DC
>
Both times the same:


[root at server me]# host -t SRV _ldap._tcp.my.domain.tld.
     _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc1.my.domain.tld.

[root at server me]# host -t SRV _kerberos._udp.my.domain.tld.
_kerberos._udp.my.domain.tld has SRV record 0 100 88 dc1.my.domain.tld.

[root at server me]# host -t A dc1.my.domain.tld.
dc1.my.domain.tld has address IP_of_FirstDC

[root at server me]# host -t A dc2.my.domain.tld.
dc2.my.domain.tld has address IP_of_SecondDC

There is no need to restart network service after altering resolv.conf, 
right?

On 10/12/15 13:08, Ole Traupe wrote:
>
>
> Am 09.12.2015 um 17:53 schrieb L.P.H. van Belle:
>> Hai Ole,
>>
>> Can you run on the member where you logged in.
>>
>> host -t SRV _ldap._tcp.samdom.example.com.
>> host -t SRV _kerberos._udp.samdom.example.com.
>>
>> host -t A dc1.samdom.example.com.
>> host -t A dc2.samdom.example.com.
>>
>> and again with
>> search my.domain.tld
>> nameserver IP_of_2st_DC
>> nameserver IP_of_1nd_DC
>>
>
> Both times the same:
>
>
> [root at server me]# host -t SRV _ldap._tcp.my.domain.tld.
>     _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc1.my.domain.tld.
>
> [root at server me]# host -t SRV _kerberos._udp.my.domain.tld.
> _kerberos._udp.my.domain.tld has SRV record 0 100 88 dc1.my.domain.tld.
You have problems, if you have two DCs, you should get something like this:

root at dc1:~# host -t SRV _ldap._tcp.samdom.example.com
_ldap._tcp.samdom.example.com has SRV record 0 100 389 
dc2.samdom.example.com.
_ldap._tcp.samdom.example.com has SRV record 0 100 389 
dc1.samdom.example.com.
root at dc1:~# host -t SRV _kerberos._udp.samdom.example.com
_kerberos._udp.samdom.example.com has SRV record 0 100 88 
dc1.samdom.example.com.
_kerberos._udp.samdom.example.com has SRV record 0 100 88 
dc2.samdom.example.com.

Rowland
>
> [root at server me]# host -t A dc1.my.domain.tld.
> dc1.my.domain.tld has address IP_of_FirstDC
>
> [root at server me]# host -t A dc2.my.domain.tld.
> dc2.my.domain.tld has address IP_of_SecondDC
>
> There is no need to restart network service after altering 
> resolv.conf, right?
>
>

Hai Ole, 

Ok, so there is your problem. 
If you have 2 DC's, then with the command :  
host -t SRV _ldap._tcp.my.domain.tld.
you should see : 

      _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc1.my.domain.tld.
      _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc2.my.domain.tld.

Have a look here
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins

so you have seen bug 10928 in action ;-) 
https://bugzilla.samba.org/show_bug.cgi?id=10928 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Ole Traupe [mailto:ole.traupe at tu-berlin.de]
> Verzonden: donderdag 10 december 2015 14:08
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller
> initially fails when PDC is offline
> 
> 
> 
> Am 09.12.2015 um 17:53 schrieb L.P.H. van Belle:
> > Hai Ole,
> >
> > Can you run on the member where you logged in.
> >
> > host -t SRV _ldap._tcp.samdom.example.com.
> > host -t SRV _kerberos._udp.samdom.example.com.
> >
> > host -t A dc1.samdom.example.com.
> > host -t A dc2.samdom.example.com.
> >
> > and again with
> > search my.domain.tld
> > nameserver IP_of_2st_DC
> > nameserver IP_of_1nd_DC
> >
> 
> Both times the same:
> 
> 
> [root at server me]# host -t SRV _ldap._tcp.my.domain.tld.
>      _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc1.my.domain.tld.
> 
> [root at server me]# host -t SRV _kerberos._udp.my.domain.tld.
> _kerberos._udp.my.domain.tld has SRV record 0 100 88 dc1.my.domain.tld.
> 
> [root at server me]# host -t A dc1.my.domain.tld.
> dc1.my.domain.tld has address IP_of_FirstDC
> 
> [root at server me]# host -t A dc2.my.domain.tld.
> dc2.my.domain.tld has address IP_of_SecondDC
> 
> There is no need to restart network service after altering resolv.conf,
> right?
>