Ole Traupe
2015-Dec-17 14:46 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 17.12.2015 um 14:32 schrieb Rowland penny:> On 17/12/15 12:50, Ole Traupe wrote: >> >> I somehow doubt that. Still it seems that no one here has an idea of >> why log-on from member servers isn't working properly (for me). >> However, in the meantime I have created all the necessary DNS >> records. This can't be the issue anymore. >> >> > > If you are sure that you now have all the dns records for both DCs in > AD, then I would agree that this is probably not the issue (there is > just the 0.1% chance you are still missing something) > > Can your domain members find the DCs ? > Do your domain members have a FQDN ? > Are they joined to the domain ? > What have got in smb.conf on the domain members ? > > You may have posted all or some of this before, but lets start again. > > Rowland >Ok, there were still records missing (according to "samba_dnsupdate --verbose"). I added them manually, and now I get "No DNS updates needed" on both my DCs. Still/again: "kinit" takes more than a minute on member servers, and login via ssh is impossible now (times out eventually). Some questions: - what about that corrupted record I mentioned earlier, how can I get rid if it? - why does "samba_dnsupdate --verbose" on DC1 check records only against 1 instance (record from DC1), while the same command issued on DC2 checks records against both existing instances (records from DC1 and DC2)? - why does the dns update fail in the first place? will I have the same problem again with the next DC I set up? - why do I still have the login problems? Ole
Rowland penny
2015-Dec-17 15:21 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
On 17/12/15 14:46, Ole Traupe wrote:> > > Am 17.12.2015 um 14:32 schrieb Rowland penny: >> On 17/12/15 12:50, Ole Traupe wrote: >>> >>> I somehow doubt that. Still it seems that no one here has an idea of >>> why log-on from member servers isn't working properly (for me). >>> However, in the meantime I have created all the necessary DNS >>> records. This can't be the issue anymore. >>> >>> >> >> If you are sure that you now have all the dns records for both DCs in >> AD, then I would agree that this is probably not the issue (there is >> just the 0.1% chance you are still missing something) >> >> Can your domain members find the DCs ? >> Do your domain members have a FQDN ? >> Are they joined to the domain ? >> What have got in smb.conf on the domain members ? >> >> You may have posted all or some of this before, but lets start again. >> >> Rowland >> > > Ok, there were still records missing (according to "samba_dnsupdate > --verbose"). I added them manually, and now I get "No DNS updates > needed" on both my DCs. > > Still/again: "kinit" takes more than a minute on member servers, and > login via ssh is impossible now (times out eventually). > > Some questions: > > - what about that corrupted record I mentioned earlier, how can I get > rid if it?Have you tried using samba-tool ?> - why does "samba_dnsupdate --verbose" on DC1 check records only > against 1 instance (record from DC1), while the same command issued on > DC2 checks records against both existing instances (records from DC1 > and DC2)?Don't know, if you understand python, you could try looking at the script.> > - why does the dns update fail in the first place?I am not sure that it does fail. When you provision the first DC, all the required dns entries are added by the provision, but when you join a DC, a lot of the dns entries are only added by the samba_dnsupdate script and this is only run when you start samba on the newly joined DC. It does print a lot of error messages, but it seems to work anyway. If you check the dns on the first DC before starting the second, you will find missing dns entries, but these should be filled once the samba_dnsupdate script is run.> will I have the same problem again with the next DC I set up?Again, I am unsure why you are having the problems, so I do not know if you will have the same problems. If you have done some thing incorrectly and do this again when you join another DC, then you are likely to again have problems.> - why do I still have the login problems? >Don't know, can you answer the questions I asked earlier. Rowland> Ole > >
Ole Traupe
2015-Dec-17 15:48 UTC
[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline
Am 17.12.2015 um 16:21 schrieb Rowland penny:> On 17/12/15 14:46, Ole Traupe wrote: >> >> >> Am 17.12.2015 um 14:32 schrieb Rowland penny: >>> On 17/12/15 12:50, Ole Traupe wrote: >>>> >>>> I somehow doubt that. Still it seems that no one here has an idea >>>> of why log-on from member servers isn't working properly (for me). >>>> However, in the meantime I have created all the necessary DNS >>>> records. This can't be the issue anymore. >>>> >>>> >>> >>> If you are sure that you now have all the dns records for both DCs >>> in AD, then I would agree that this is probably not the issue (there >>> is just the 0.1% chance you are still missing something) >>> >>> Can your domain members find the DCs ? >>> Do your domain members have a FQDN ? >>> Are they joined to the domain ? >>> What have got in smb.conf on the domain members ? >>> >>> You may have posted all or some of this before, but lets start again. >>> >>> Rowland >>> >> >> Ok, there were still records missing (according to "samba_dnsupdate >> --verbose"). I added them manually, and now I get "No DNS updates >> needed" on both my DCs. >> >> Still/again: "kinit" takes more than a minute on member servers, and >> login via ssh is impossible now (times out eventually). >> >> Some questions: >> >> - what about that corrupted record I mentioned earlier, how can I get >> rid if it? > > Have you tried using samba-tool ?That's what I posted earlier: "I accidentally created a record with a false port. I then updated the port but was afraid of any consequences. So I deleted that record again and wanted to re-create it. But I can't: "The record already exists." Although I can't see it in the gui. And I also can't delete it (EDIT: although this worked with the corresponding record for the 1st DC; so the command is ok): # samba-tool dns delete DC1 _msdcs.my.domain.tld _ldap._tcp.gc._msdcs.my.domain.tld SRV "dc2.my.domain.tld 3268 0 100" ERROR: Record does not exist But it can be found with dig: # dig @DC1 _ldap._tcp.gc._msdcs.my.domain.tld SRV ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> @DC1 _ldap._tcp.gc._msdcs.my.domain.tld SRV ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28612 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;_ldap._tcp.gc._msdcs.my.domain.tld. IN SRV ;; ANSWER SECTION: _ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 dc1.my.domain.tld. _ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 dc2.my.domain.tld. ;; Query time: 1 msec ;; SERVER: IP_of_1stDC#53(IP_of_1stDC) ;; WHEN: Thu Dec 17 13:28:06 2015 ;; MSG SIZE rcvd: 103"> >> - why does "samba_dnsupdate --verbose" on DC1 check records only >> against 1 instance (record from DC1), while the same command issued >> on DC2 checks records against both existing instances (records from >> DC1 and DC2)? > > Don't know, if you understand python, you could try looking at the > script.Does it behave the same way on your 1st (one check) and 2nd DC (two checks)?> >> >> - why does the dns update fail in the first place? > > I am not sure that it does fail. When you provision the first DC, all > the required dns entries are added by the provision, but when you join > a DC, a lot of the dns entries are only added by the samba_dnsupdate > script and this is only run when you start samba on the newly joined > DC. It does print a lot of error messages, but it seems to work anyway. > If you check the dns on the first DC before starting the second, you > will find missing dns entries, but these should be filled once the > samba_dnsupdate script is run.And this is what is not happening here. I can't say whether it is run when samba restarts, but when run manually, it fails. That's why I created the records by hand.> >> will I have the same problem again with the next DC I set up? > > Again, I am unsure why you are having the problems, so I do not know > if you will have the same problems. If you have done some thing > incorrectly and do this again when you join another DC, then you are > likely to again have problems. > >> - why do I still have the login problems? >> > > Don't know, can you answer the questions I asked earlier. > > Rowland > >> Ole >> >> > >
Apparently Analagous Threads
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- Authentication to Secondary Domain Controller initially fails when PDC is offline