L.P.H. van Belle
2015-Dec-09 16:53 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Hai Ole, Can you run on the member where you logged in. host -t SRV _ldap._tcp.samdom.example.com. host -t SRV _kerberos._udp.samdom.example.com. host -t A dc1.samdom.example.com. host -t A dc2.samdom.example.com. and again with search my.domain.tld nameserver IP_of_2st_DC nameserver IP_of_1nd_DC looks ok to me sofare. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: woensdag 9 december 2015 17:33 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > > > - But when I try to ssh to a member server, it still takes forever, > > and a 'kinit' on a member server gives this: > > "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while > > getting initial credentials" > > > > > > My /etc/krb5.conf looks like this (following your suggestions, > > Rowland, as everything else are defaults): > > > > [libdefaults] > > default_realm = MY.DOMAIN.TLD > > > > And my /etc/resolv.conf is this: > > > > search my.domain.tld > > nameserver IP_of_1st_DC > > nameserver IP_of_2nd_DC > > Any idea why I still get this when trying to log on to a member server > while the first DC is down? > > # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while getting > initial credentials > > Ole > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Ole Traupe
2015-Dec-10 13:08 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 09.12.2015 um 17:53 schrieb L.P.H. van Belle:> Hai Ole, > > Can you run on the member where you logged in. > > host -t SRV _ldap._tcp.samdom.example.com. > host -t SRV _kerberos._udp.samdom.example.com. > > host -t A dc1.samdom.example.com. > host -t A dc2.samdom.example.com. > > and again with > search my.domain.tld > nameserver IP_of_2st_DC > nameserver IP_of_1nd_DC >Both times the same: [root at server me]# host -t SRV _ldap._tcp.my.domain.tld. _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc1.my.domain.tld. [root at server me]# host -t SRV _kerberos._udp.my.domain.tld. _kerberos._udp.my.domain.tld has SRV record 0 100 88 dc1.my.domain.tld. [root at server me]# host -t A dc1.my.domain.tld. dc1.my.domain.tld has address IP_of_FirstDC [root at server me]# host -t A dc2.my.domain.tld. dc2.my.domain.tld has address IP_of_SecondDC There is no need to restart network service after altering resolv.conf, right?
Rowland penny
2015-Dec-10 13:18 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 10/12/15 13:08, Ole Traupe wrote:> > > Am 09.12.2015 um 17:53 schrieb L.P.H. van Belle: >> Hai Ole, >> >> Can you run on the member where you logged in. >> >> host -t SRV _ldap._tcp.samdom.example.com. >> host -t SRV _kerberos._udp.samdom.example.com. >> >> host -t A dc1.samdom.example.com. >> host -t A dc2.samdom.example.com. >> >> and again with >> search my.domain.tld >> nameserver IP_of_2st_DC >> nameserver IP_of_1nd_DC >> > > Both times the same: > > > [root at server me]# host -t SRV _ldap._tcp.my.domain.tld. > _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc1.my.domain.tld. > > [root at server me]# host -t SRV _kerberos._udp.my.domain.tld. > _kerberos._udp.my.domain.tld has SRV record 0 100 88 dc1.my.domain.tld.You have problems, if you have two DCs, you should get something like this: root at dc1:~# host -t SRV _ldap._tcp.samdom.example.com _ldap._tcp.samdom.example.com has SRV record 0 100 389 dc2.samdom.example.com. _ldap._tcp.samdom.example.com has SRV record 0 100 389 dc1.samdom.example.com. root at dc1:~# host -t SRV _kerberos._udp.samdom.example.com _kerberos._udp.samdom.example.com has SRV record 0 100 88 dc1.samdom.example.com. _kerberos._udp.samdom.example.com has SRV record 0 100 88 dc2.samdom.example.com. Rowland> > [root at server me]# host -t A dc1.my.domain.tld. > dc1.my.domain.tld has address IP_of_FirstDC > > [root at server me]# host -t A dc2.my.domain.tld. > dc2.my.domain.tld has address IP_of_SecondDC > > There is no need to restart network service after altering > resolv.conf, right? > >
L.P.H. van Belle
2015-Dec-10 13:20 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Hai Ole, Ok, so there is your problem. If you have 2 DC's, then with the command : host -t SRV _ldap._tcp.my.domain.tld. you should see : _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc1.my.domain.tld. _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc2.my.domain.tld. Have a look here https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins so you have seen bug 10928 in action ;-) https://bugzilla.samba.org/show_bug.cgi?id=10928 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Ole Traupe [mailto:ole.traupe at tu-berlin.de] > Verzonden: donderdag 10 december 2015 14:08 > Aan: L.P.H. van Belle > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > > > Am 09.12.2015 um 17:53 schrieb L.P.H. van Belle: > > Hai Ole, > > > > Can you run on the member where you logged in. > > > > host -t SRV _ldap._tcp.samdom.example.com. > > host -t SRV _kerberos._udp.samdom.example.com. > > > > host -t A dc1.samdom.example.com. > > host -t A dc2.samdom.example.com. > > > > and again with > > search my.domain.tld > > nameserver IP_of_2st_DC > > nameserver IP_of_1nd_DC > > > > Both times the same: > > > [root at server me]# host -t SRV _ldap._tcp.my.domain.tld. > _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc1.my.domain.tld. > > [root at server me]# host -t SRV _kerberos._udp.my.domain.tld. > _kerberos._udp.my.domain.tld has SRV record 0 100 88 dc1.my.domain.tld. > > [root at server me]# host -t A dc1.my.domain.tld. > dc1.my.domain.tld has address IP_of_FirstDC > > [root at server me]# host -t A dc2.my.domain.tld. > dc2.my.domain.tld has address IP_of_SecondDC > > There is no need to restart network service after altering resolv.conf, > right? >