L.P.H. van Belle
2016-Jan-05 12:41 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
For the member servers, to reduce timeouts etc when one DC is down. Change your resolv.conf to : domain internal.domain.tld search internal.domain.tld nameserver IP_DC1 nameserver IP_DC2 options timeout:2 options attempts:2 options rotate options edns0 see man resolv.conf for the options explained. Ow.. and .. domain and search are NOT exclusive anymore in Debian Jessie and up. At least, i didnt find it anymore. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: dinsdag 5 januari 2016 12:30 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > > > > > I can't recall but are you able to get a packet trace? This may > > help further troubleshoot. > > I'll look into this. However, Rowland stated that bind9 will be the only > solution. > > > > > > Just to recap you do you both servers listed as available DNS servers > > on your workstations? As well as your member server? > > Yes, of course. For member servers, this is the content of > /etc/resolv.conf: > > search my.domain.tld > nameserver IP_of_1st_DC > nameserver IP_of_2nd_DC > > > > I made a small tweak but haven't fully tested is adding the following > > options to my resolv.conf. > > > > cat /etc/resolvconf/resolv.conf.d/tail > > options timeout:1 > > Great, this sounds exactly as what I need! However, I tried this: no > effect. I created this file and restarted the network service. But I > still get long timeouts and can't login via ssh, when I suspend my 1st DC. > > # cat /etc/resolvconf/resolv.conf.d/tail > options timeout:1 > options edns0 > > Or do I need Network Manager for that? > > > > options edns0 > > What's that for, particularly? > > > > > > timeout:n > > sets the amount of time the resolver will wait > > for a response from a remote name server before retrying the query > > via a different name > > server. Measured in seconds, the default is > > RES_TIMEOUT (currently 5, see <resolv.h>). The value for this option > > is silently capped to 30. > > > > edns0 (since glibc 2.6) > > sets RES_USE_EDNSO in _res.options. This enables > > support for the DNS extensions described in RFC 2671. > > > > From what I researched, this is the intended behavior on a Microsoft > > Server. Again I can disable my "PDC" and log in from a windows > > workstation just fine. It appears for some users after a hour or so > > they run into issues > > I thought this was only happening with roaming machines resulting in > cached logins. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Ole Traupe
2016-Jan-06 15:56 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Ok, I updated resolv.conf as you said. Then I restarted the network service on this member server and afterwords suspended the 1st DC. Now, kinit gives me again: "Cannot contact any KDC for realm 'BPN.TU-BERLIN.DE' while getting initial credentials" Ole Am 05.01.2016 um 13:41 schrieb L.P.H. van Belle:> For the member servers, to reduce timeouts etc when one DC is down. > > Change your resolv.conf to : > domain internal.domain.tld > search internal.domain.tld > > nameserver IP_DC1 > nameserver IP_DC2 > > options timeout:2 > options attempts:2 > options rotate > options edns0 > > see man resolv.conf for the options explained. > > Ow.. and .. > > domain and search are NOT exclusive anymore in Debian Jessie and up. > At least, i didnt find it anymore. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe >> Verzonden: dinsdag 5 januari 2016 12:30 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >> initially fails when PDC is offline >> >> >>> I can't recall but are you able to get a packet trace? This may >>> help further troubleshoot. >> I'll look into this. However, Rowland stated that bind9 will be the only >> solution. >> >> >>> Just to recap you do you both servers listed as available DNS servers >>> on your workstations? As well as your member server? >> Yes, of course. For member servers, this is the content of >> /etc/resolv.conf: >> >> search my.domain.tld >> nameserver IP_of_1st_DC >> nameserver IP_of_2nd_DC >> >> >>> I made a small tweak but haven't fully tested is adding the following >>> options to my resolv.conf. >>> >>> cat /etc/resolvconf/resolv.conf.d/tail >>> options timeout:1 >> Great, this sounds exactly as what I need! However, I tried this: no >> effect. I created this file and restarted the network service. But I >> still get long timeouts and can't login via ssh, when I suspend my 1st DC. >> >> # cat /etc/resolvconf/resolv.conf.d/tail >> options timeout:1 >> options edns0 >> >> Or do I need Network Manager for that? >> >> >>> options edns0 >> What's that for, particularly? >> >> >>> timeout:n >>> sets the amount of time the resolver will wait >>> for a response from a remote name server before retrying the query >>> via a different name >>> server. Measured in seconds, the default is >>> RES_TIMEOUT (currently 5, see <resolv.h>). The value for this option >>> is silently capped to 30. >>> >>> edns0 (since glibc 2.6) >>> sets RES_USE_EDNSO in _res.options. This enables >>> support for the DNS extensions described in RFC 2671. >>> >>> From what I researched, this is the intended behavior on a Microsoft >>> Server. Again I can disable my "PDC" and log in from a windows >>> workstation just fine. It appears for some users after a hour or so >>> they run into issues >> I thought this was only happening with roaming machines resulting in >> cached logins. >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
James
2016-Jan-06 18:09 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 1/6/2016 10:56 AM, Ole Traupe wrote:> Ok, I updated resolv.conf as you said. Then I restarted the network > service on this member server and afterwords suspended the 1st DC. > Now, kinit gives me again: > > "Cannot contact any KDC for realm 'BPN.TU-BERLIN.DE' while getting > initial credentials" > > Ole > > > Am 05.01.2016 um 13:41 schrieb L.P.H. van Belle: >> For the member servers, to reduce timeouts etc when one DC is down. >> >> Change your resolv.conf to : >> domain internal.domain.tld >> search internal.domain.tld >> >> nameserver IP_DC1 >> nameserver IP_DC2 >> >> options timeout:2 >> options attempts:2 >> options rotate >> options edns0 >> >> see man resolv.conf for the options explained. >> >> Ow.. and .. >> >> domain and search are NOT exclusive anymore in Debian Jessie and up. >> At least, i didnt find it anymore. >> >> Greetz, >> >> Louis >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe >>> Verzonden: dinsdag 5 januari 2016 12:30 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >>> initially fails when PDC is offline >>> >>> >>>> I can't recall but are you able to get a packet trace? This may >>>> help further troubleshoot. >>> I'll look into this. However, Rowland stated that bind9 will be the >>> only >>> solution. >>> >>> >>>> Just to recap you do you both servers listed as available DNS servers >>>> on your workstations? As well as your member server? >>> Yes, of course. For member servers, this is the content of >>> /etc/resolv.conf: >>> >>> search my.domain.tld >>> nameserver IP_of_1st_DC >>> nameserver IP_of_2nd_DC >>> >>> >>>> I made a small tweak but haven't fully tested is adding the following >>>> options to my resolv.conf. >>>> >>>> cat /etc/resolvconf/resolv.conf.d/tail >>>> options timeout:1 >>> Great, this sounds exactly as what I need! However, I tried this: no >>> effect. I created this file and restarted the network service. But I >>> still get long timeouts and can't login via ssh, when I suspend my >>> 1st DC. >>> >>> # cat /etc/resolvconf/resolv.conf.d/tail >>> options timeout:1 >>> options edns0 >>> >>> Or do I need Network Manager for that? >>> >>> >>>> options edns0 >>> What's that for, particularly? >>> >>> >>>> timeout:n >>>> sets the amount of time the resolver will wait >>>> for a response from a remote name server before retrying the query >>>> via a different name >>>> server. Measured in seconds, the default is >>>> RES_TIMEOUT (currently 5, see <resolv.h>). The value for this option >>>> is silently capped to 30. >>>> >>>> edns0 (since glibc 2.6) >>>> sets RES_USE_EDNSO in _res.options. This enables >>>> support for the DNS extensions described in RFC 2671. >>>> >>>> From what I researched, this is the intended behavior on a Microsoft >>>> Server. Again I can disable my "PDC" and log in from a windows >>>> workstation just fine. It appears for some users after a hour or so >>>> they run into issues >>> I thought this was only happening with roaming machines resulting in >>> cached logins. >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> > >Ole, Sorry you are having so many issues. I've tried reading back through this thread to verify everything that has been covered. Can you try this command with the "PDC up and down? Reply with your findings. KRB5_TRACE=/dev/stdout kinit administrator -- -James
L.P.H. van Belle
2016-Jan-07 08:45 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Hai Ole, What does this give you as output? host bpn.tu-berlin.de I assum you dnsdomain name is the same as your REALM_NAME ? For me it show the 2 ipadresses of my DC's. And my MX record. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens James > Verzonden: woensdag 6 januari 2016 19:10 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > On 1/6/2016 10:56 AM, Ole Traupe wrote: > > Ok, I updated resolv.conf as you said. Then I restarted the network > > service on this member server and afterwords suspended the 1st DC. > > Now, kinit gives me again: > > > > "Cannot contact any KDC for realm 'BPN.TU-BERLIN.DE' while getting > > initial credentials" > > > > Ole > > > > > > Am 05.01.2016 um 13:41 schrieb L.P.H. van Belle: > >> For the member servers, to reduce timeouts etc when one DC is down. > >> > >> Change your resolv.conf to : > >> domain internal.domain.tld > >> search internal.domain.tld > >> > >> nameserver IP_DC1 > >> nameserver IP_DC2 > >> > >> options timeout:2 > >> options attempts:2 > >> options rotate > >> options edns0 > >> > >> see man resolv.conf for the options explained. > >> > >> Ow.. and .. > >> > >> domain and search are NOT exclusive anymore in Debian Jessie and up. > >> At least, i didnt find it anymore. > >> > >> Greetz, > >> > >> Louis > >> > >> > >> > >>> -----Oorspronkelijk bericht----- > >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > >>> Verzonden: dinsdag 5 januari 2016 12:30 > >>> Aan: samba at lists.samba.org > >>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > >>> initially fails when PDC is offline > >>> > >>> > >>>> I can't recall but are you able to get a packet trace? This may > >>>> help further troubleshoot. > >>> I'll look into this. However, Rowland stated that bind9 will be the > >>> only > >>> solution. > >>> > >>> > >>>> Just to recap you do you both servers listed as available DNS servers > >>>> on your workstations? As well as your member server? > >>> Yes, of course. For member servers, this is the content of > >>> /etc/resolv.conf: > >>> > >>> search my.domain.tld > >>> nameserver IP_of_1st_DC > >>> nameserver IP_of_2nd_DC > >>> > >>> > >>>> I made a small tweak but haven't fully tested is adding the following > >>>> options to my resolv.conf. > >>>> > >>>> cat /etc/resolvconf/resolv.conf.d/tail > >>>> options timeout:1 > >>> Great, this sounds exactly as what I need! However, I tried this: no > >>> effect. I created this file and restarted the network service. But I > >>> still get long timeouts and can't login via ssh, when I suspend my > >>> 1st DC. > >>> > >>> # cat /etc/resolvconf/resolv.conf.d/tail > >>> options timeout:1 > >>> options edns0 > >>> > >>> Or do I need Network Manager for that? > >>> > >>> > >>>> options edns0 > >>> What's that for, particularly? > >>> > >>> > >>>> timeout:n > >>>> sets the amount of time the resolver will wait > >>>> for a response from a remote name server before retrying the query > >>>> via a different name > >>>> server. Measured in seconds, the default is > >>>> RES_TIMEOUT (currently 5, see <resolv.h>). The value for this option > >>>> is silently capped to 30. > >>>> > >>>> edns0 (since glibc 2.6) > >>>> sets RES_USE_EDNSO in _res.options. This > enables > >>>> support for the DNS extensions described in RFC 2671. > >>>> > >>>> From what I researched, this is the intended behavior on a Microsoft > >>>> Server. Again I can disable my "PDC" and log in from a windows > >>>> workstation just fine. It appears for some users after a hour or so > >>>> they run into issues > >>> I thought this was only happening with roaming machines resulting in > >>> cached logins. > >>> > >>> > >>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > Ole, > > Sorry you are having so many issues. I've tried reading back > through this thread to verify everything that has been covered. Can you > try this command with the "PDC up and down? Reply with your findings. > > KRB5_TRACE=/dev/stdout kinit administrator > > -- > -James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Reasonably Related Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline