Rowland penny
2015-Dec-09 17:16 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 09/12/15 17:03, James wrote:> On 12/9/2015 11:33 AM, Ole Traupe wrote: >> >>> - But when I try to ssh to a member server, it still takes forever, >>> and a 'kinit' on a member server gives this: >>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>> getting initial credentials" >>> >>> >>> My /etc/krb5.conf looks like this (following your suggestions, >>> Rowland, as everything else are defaults): >>> >>> [libdefaults] >>> default_realm = MY.DOMAIN.TLD >>> >>> And my /etc/resolv.conf is this: >>> >>> search my.domain.tld >>> nameserver IP_of_1st_DC >>> nameserver IP_of_2nd_DC >> >> Any idea why I still get this when trying to log on to a member >> server while the first DC is down? >> >> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >> getting initial credentials >> >> Ole >> >> >> > Ole, > > I was trying to look back through your posts so excuse me if you > have answered this. What was your original krb.conf file contents? A > few things that may work is to specify the kdc and not rely on dns. > for instance. > > [libdefaults] > default_realm = MY.DOMAIN.TLD > dns_lookup_kdc = false > dns_lookup_realm = false > > [realms] > MY.DOMAIN.TLD = { > kdc = IP of First DC > kdc = IP of Second DC > } >If you have to do that, then there is something wrong with your dns and you need to fix this, dns is an important part of AD and really needs to work correctly. I have been doing some testing with dns and with the internal dns server, even if you add another NS to the SOA record, you only have one NS. It seems the only way to get each DC to think it is a NS, is to use bind9. Rowland
James
2015-Dec-09 17:32 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 12/9/2015 12:16 PM, Rowland penny wrote:> On 09/12/15 17:03, James wrote: >> On 12/9/2015 11:33 AM, Ole Traupe wrote: >>> >>>> - But when I try to ssh to a member server, it still takes forever, >>>> and a 'kinit' on a member server gives this: >>>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>>> getting initial credentials" >>>> >>>> >>>> My /etc/krb5.conf looks like this (following your suggestions, >>>> Rowland, as everything else are defaults): >>>> >>>> [libdefaults] >>>> default_realm = MY.DOMAIN.TLD >>>> >>>> And my /etc/resolv.conf is this: >>>> >>>> search my.domain.tld >>>> nameserver IP_of_1st_DC >>>> nameserver IP_of_2nd_DC >>> >>> Any idea why I still get this when trying to log on to a member >>> server while the first DC is down? >>> >>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>> getting initial credentials >>> >>> Ole >>> >>> >>> >> Ole, >> >> I was trying to look back through your posts so excuse me if you >> have answered this. What was your original krb.conf file contents? A >> few things that may work is to specify the kdc and not rely on dns. >> for instance. >> >> [libdefaults] >> default_realm = MY.DOMAIN.TLD >> dns_lookup_kdc = false >> dns_lookup_realm = false >> >> [realms] >> MY.DOMAIN.TLD = { >> kdc = IP of First DC >> kdc = IP of Second DC >> } >> > > If you have to do that, then there is something wrong with your dns > and you need to fix this, dns is an important part of AD and really > needs to work correctly. > > I have been doing some testing with dns and with the internal dns > server, even if you add another NS to the SOA record, you only have > one NS. It seems the only way to get each DC to think it is a NS, is > to use bind9. > > Rowland >Rowland, I can understand that to be true. However it could apply in situations where DNS traffic would like to be kept to a minimum. At least that was my mind set when I researched using this config. -- -James
Ole Traupe
2015-Dec-10 13:18 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 09.12.2015 um 18:16 schrieb Rowland penny:> On 09/12/15 17:03, James wrote: >> On 12/9/2015 11:33 AM, Ole Traupe wrote: >>> >>>> - But when I try to ssh to a member server, it still takes forever, >>>> and a 'kinit' on a member server gives this: >>>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>>> getting initial credentials" >>>> >>>> >>>> My /etc/krb5.conf looks like this (following your suggestions, >>>> Rowland, as everything else are defaults): >>>> >>>> [libdefaults] >>>> default_realm = MY.DOMAIN.TLD >>>> >>>> And my /etc/resolv.conf is this: >>>> >>>> search my.domain.tld >>>> nameserver IP_of_1st_DC >>>> nameserver IP_of_2nd_DC >>> >>> Any idea why I still get this when trying to log on to a member >>> server while the first DC is down? >>> >>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>> getting initial credentials >>> >>> Ole >>> >>> >>> >> Ole, >> >> I was trying to look back through your posts so excuse me if you >> have answered this. What was your original krb.conf file contents? A >> few things that may work is to specify the kdc and not rely on dns. >> for instance. >> >> [libdefaults] >> default_realm = MY.DOMAIN.TLD >> dns_lookup_kdc = false >> dns_lookup_realm = false >> >> [realms] >> MY.DOMAIN.TLD = { >> kdc = IP of First DC >> kdc = IP of Second DC >> } >> > > If you have to do that, then there is something wrong with your dns > and you need to fix this, dns is an important part of AD and really > needs to work correctly. > > I have been doing some testing with dns and with the internal dns > server, even if you add another NS to the SOA record, you only have > one NS. It seems the only way to get each DC to think it is a NS, is > to use bind9. > > RowlandHm, as I said: swapping kdc and nameserver entries on the member server (and restarting the network service) was able to solve the problem, if I remember correctly.
Ole Traupe
2015-Dec-10 13:25 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Is it possible that kdc server is always the SOA, at least if derived from DNS and not specified *explicitly* in the krb5.conf? In my DNS-Manager console I find that _tcp.dc._msdcs.bpn.tu-berlin.de contains only 1 "_kerberos" record, and that one points to my First_DC. Ole Am 09.12.2015 um 18:16 schrieb Rowland penny:> On 09/12/15 17:03, James wrote: >> On 12/9/2015 11:33 AM, Ole Traupe wrote: >>> >>>> - But when I try to ssh to a member server, it still takes forever, >>>> and a 'kinit' on a member server gives this: >>>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>>> getting initial credentials" >>>> >>>> >>>> My /etc/krb5.conf looks like this (following your suggestions, >>>> Rowland, as everything else are defaults): >>>> >>>> [libdefaults] >>>> default_realm = MY.DOMAIN.TLD >>>> >>>> And my /etc/resolv.conf is this: >>>> >>>> search my.domain.tld >>>> nameserver IP_of_1st_DC >>>> nameserver IP_of_2nd_DC >>> >>> Any idea why I still get this when trying to log on to a member >>> server while the first DC is down? >>> >>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>> getting initial credentials >>> >>> Ole >>> >>> >>> >> Ole, >> >> I was trying to look back through your posts so excuse me if you >> have answered this. What was your original krb.conf file contents? A >> few things that may work is to specify the kdc and not rely on dns. >> for instance. >> >> [libdefaults] >> default_realm = MY.DOMAIN.TLD >> dns_lookup_kdc = false >> dns_lookup_realm = false >> >> [realms] >> MY.DOMAIN.TLD = { >> kdc = IP of First DC >> kdc = IP of Second DC >> } >> > > If you have to do that, then there is something wrong with your dns > and you need to fix this, dns is an important part of AD and really > needs to work correctly. > > I have been doing some testing with dns and with the internal dns > server, even if you add another NS to the SOA record, you only have > one NS. It seems the only way to get each DC to think it is a NS, is > to use bind9. > > Rowland >
Rowland penny
2015-Dec-10 13:29 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 10/12/15 13:18, Ole Traupe wrote:> > > Am 09.12.2015 um 18:16 schrieb Rowland penny: >> On 09/12/15 17:03, James wrote: >>> On 12/9/2015 11:33 AM, Ole Traupe wrote: >>>> >>>>> - But when I try to ssh to a member server, it still takes >>>>> forever, and a 'kinit' on a member server gives this: >>>>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>>>> getting initial credentials" >>>>> >>>>> >>>>> My /etc/krb5.conf looks like this (following your suggestions, >>>>> Rowland, as everything else are defaults): >>>>> >>>>> [libdefaults] >>>>> default_realm = MY.DOMAIN.TLD >>>>> >>>>> And my /etc/resolv.conf is this: >>>>> >>>>> search my.domain.tld >>>>> nameserver IP_of_1st_DC >>>>> nameserver IP_of_2nd_DC >>>> >>>> Any idea why I still get this when trying to log on to a member >>>> server while the first DC is down? >>>> >>>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>>> getting initial credentials >>>> >>>> Ole >>>> >>>> >>>> >>> Ole, >>> >>> I was trying to look back through your posts so excuse me if you >>> have answered this. What was your original krb.conf file contents? A >>> few things that may work is to specify the kdc and not rely on dns. >>> for instance. >>> >>> [libdefaults] >>> default_realm = MY.DOMAIN.TLD >>> dns_lookup_kdc = false >>> dns_lookup_realm = false >>> >>> [realms] >>> MY.DOMAIN.TLD = { >>> kdc = IP of First DC >>> kdc = IP of Second DC >>> } >>> >> >> If you have to do that, then there is something wrong with your dns >> and you need to fix this, dns is an important part of AD and really >> needs to work correctly. >> >> I have been doing some testing with dns and with the internal dns >> server, even if you add another NS to the SOA record, you only have >> one NS. It seems the only way to get each DC to think it is a NS, is >> to use bind9. >> >> Rowland > > Hm, as I said: swapping kdc and nameserver entries on the member > server (and restarting the network service) was able to solve the > problem, if I remember correctly. > > > >This is what is in resolv.conf on each DC: root at dc1:~# nano /etc/resolv.conf search samdom.example.com nameserver 192.168.0.6 nameserver 192.168.0.5 root at dc2:~# nano /etc/resolv.conf search samdom.example.com nameserver 192.168.0.5 nameserver 192.168.0.6 dc1.samdom.example.com is 192.168.0.5 dc2.samdom.example.com is 192.168.0.6 Both have just this in /etc/krb5.conf [libdefaults] default_realm = SAMDOM.EXAMPLE.COM Everything is working correctly. Rowland
Rowland penny
2015-Dec-10 13:38 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 10/12/15 13:25, Ole Traupe wrote:> Is it possible that kdc server is always the SOA, at least if derived > from DNS and not specified *explicitly* in the krb5.conf? > > In my DNS-Manager console I find that > > _tcp.dc._msdcs.bpn.tu-berlin.de > > contains only 1 "_kerberos" record, and that one points to my First_DC. > > Ole > > >Your problem doesn't seem to be a dns problem, you should have two 'kerberos' records and no matter how good your dns is, it cannot obtain something that isn't there :-) See Louis's earlier post for how to attempt to fix this, but before you do anything, restart samba on the second DC and then check the logs, samba_dnsupdate should add the records you are missing. Rowland
Possibly Parallel Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline